Newest Plugins

Juniper Junos bfdd RCE (JSA10690)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos device is potentially affected by a remote code execution
vulnerability in the BFD daemon (bfdd). A remote attacker, using a
specially crafted BFD packet, can exploit this to cause a denial of
service or execute arbitrary code.

Note that Nessus has not tested for this issue or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10690

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10690.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Juniper Junos IPv6 sendd DoS (JSA10688)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos device is potentially affected by a denial of service
vulnerability in sendd due to improper handling of IPv6 Secure
Neighbor Discovery (SEND) Protocol packets when the Secure Neighbor
Discovery feature is configured. A remote attacker, using a crafted
SEND packet, can exploit this to cause excessive consumption of CPU
resources, resulting in an impact on CLI responsiveness and the
processing of IPv6 packets via link-local addresses.

Note that Nessus has not tested for this issue or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10688

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10688.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Juniper Junos BGP-VPLS Advertisements RPD DoS (JSA10687)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos device is potentially affected by a denial of service
vulnerability due to improper handling of BGP-VPLS advertisements with
updated BGP local preference values. A remote attacker can exploit
this to crash RDP with a NULL pointer deference exception.

Note that Nessus has not tested for this issue or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10687

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10687.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Juniper Junos LAST_ACK State DoS (JSA10686)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos device is affected by a denial of service vulnerability due
to the improper handling of TCP connection transitions to the
LAST_ACK state when the device has more data to send. A remote
attacker can exploit this cause the socket to be stuck in the LAST_ACK
state indefinitely, leading to exhaustion of memory buffers (mbufs)
and connections.

Note that Nessus has not tested for this issue or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10686

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10686.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Juniper Junos SRX Series 'set system ports console insecure' Local Privilege Escalation (JSA10683)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos SRX Series device is potentially affected by a privilege
escalation vulnerability related to the 'set system ports console
insecure' feature. A local attacker can exploit this vulnerability by
using access to a console port to gain full administrative privileges.

Note that Nessus has not tested for this issue or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10683

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10683.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Juniper Junos J-Web Multiple Vulnerabilities (JSA10682)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version number, the remote Juniper
Junos device is potentially affected by multiple vulnerabilities in
the J-Web component :

- A cross-site scripting vulnerability exists due to a
failure to validate input before returning it to users.
A remote attacker, using a crafted request, can exploit
this to gain access to session credentials or execute
administrative actions through the user's browser.

- A denial of service vulnerability exists in error
handling that allows an attacker to crash the J-Web
service.

Note that Nessus has not tested for these issues or the host
configuration but has instead relied only on the application's
self-reported version number.

See also :

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10682

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10682.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

MySQL 5.5.x < 5.5.45 / 5.6.x < 5.6.26 Multiple Vulnerabilities


Synopsis:

The remote database server is affected by multiple vulnerabilities.

Description:

The version of MySQL running on the remote host is 5.5.x prior to
5.5.45 or 5.6.x prior to 5.6.26. It is, therefore, potentially
affected by the following vulnerabilities :

- A buffer overflow condition exists in mysqlslap due to
improper validation of user-supplied input when parsing
options. An attacker can exploit this to cause a denial
of service or possibly execute arbitrary code.
(OSVDB 125441)

- A flaw exists when handling CHAR(0) NOT NULL column
operations. An attacker can exploit this to cause the
server to exit, resulting in a denial of service.
(OSVDB 125442)

- A use-after-free error exists whenever the Enterprise
Firewall and Binary Logging components are both enabled.
An attacker can exploit this to execute arbitrary code.
(OSVDB 125443)

- An off-by-one overflow exists due to improper validation
of user-supplied input by the functions related to
string copying. An attacker can exploit this to cause
a denial of service or possibly execute arbitrary code.
(OSVDB 125444)

See also :

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-45.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-26.html

Solution :

Upgrade to MySQL version 5.5.45 / 5.6.26 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA < 5.1.5 SOAP API Arbitrary File Overwrite


Synopsis:

The remote web server hosts a web application that is potentially
affected by an arbitrary file overwrite vulnerability.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is prior to version
5.1.5. It is, therefore, potentially affected by an arbitrary file
overwrite vulnerability in the SOAP API used by JIRA. A remote,
unauthenticated attacker can exploit this to overwrite arbitrary files
with malicious Java code, which the attacker could then execute on the
JIRA server.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?5ff41f32

Solution :

Upgrade to Atlassian JIRA 5.1.5 or later. Alternatively, refer to the
vendor for patch options.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA 4.2.x < 5.1.1 Multiple XSS


Synopsis:

The remote web server hosts a web application that is potentially
affected by multiple cross-site scripting (XSS) vulnerabilities.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is 4.2.x prior to
5.1.1. It is, therefore, potentially affected by multiple cross-site
scripting (XSS) vulnerabilities that allow a remote attacker to embed
arbitrary JavaScript code in a JIRA page.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a3417d3d

Solution :

Upgrade to Atlassian JIRA 5.1.1 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA 4.3.x < 5.1.1 Multiple Open Redirect Vulnerabilities


Synopsis:

The remote web server hosts a web application that is potentially
affected by multiple open redirect vulnerabilities.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is 4.3.x prior to
5.1.1. It is, therefore, potentially affected by multiple open
redirect vulnerabilities. A remote attacker, using a crafted URL, can
exploit these vulnerabilities to redirect users to external, untrusted
websites, allowing further attacks to be conducted.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a3417d3d

Solution :

Upgrade to Atlassian JIRA 5.1.1 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA 4.2.x < 5.1 XSRF


Synopsis:

The remote web server hosts a web application that is potentially
affected by a cross-site request forgery vulnerability.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is 4.2.x prior to 5.1.
It is, therefore, potentially affected by a cross-site request forgery
vulnerability, which could allow a remote attacker to trick a victim
into posting issue comments of the attacker's choosing.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a3417d3d

Solution :

Upgrade to Atlassian JIRA 5.1 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA < 5.0.7 Privilege Escalation


Synopsis:

The remote web server hosts a web application that is potentially
affected by a privilege escalation vulnerability.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is prior to 5.0.7. It
is, therefore, potentially affected by a privilege escalation
vulnerability. A remote attacker, using a crafted URL, can exploit
this to bypass administrator-only authorization controls, thus gaining
the ability to execute a large number of possible administrative
actions.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a3417d3d

Solution :

Upgrade to Atlassian JIRA 5.0.7 or later, or apply the vendor-supplied
patch that applies to your installed version.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA 4.2.x < 4.4 / 4.3.x < 4.4 Multiple XSS


Synopsis:

The remote web server hosts a web application that is potentially
affected by multiple cross-site scripting (XSS) vulnerabilities.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is 4.2.x or 4.3.x prior
to version 4.4. It is, therefore, potentially affected by multiple
cross-site scripting vulnerabilities, which can allow attackers to
gain access to cookie-based credentials or embed their own JavaScript
into a JIRA web page.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?5f33ff4c

Solution :

Upgrade to Atlassian JIRA 4.4 or later. Alternatively, refer to the
vendor for patch options.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Atlassian JIRA < 4.2.2 Open Redirect


Synopsis:

The remote web server hosts a web application that is potentially
affected by an open redirect vulnerability.

Description:

According to its self-reported version number, the version of
Atlassian JIRA hosted on the remote web server is prior to version
4.2.2. It is, therefore, potentially affected by an open redirect
vulnerability due to improper sanitization of user-supplied input to
an unspecified parameter. A remote attacker, by enticing a user into
following a crafted URL, can exploit this vulnerability to redirect
the user to an attacker-controlled website.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?881df9e9

Solution :

Upgrade to Atlassian JIRA 4.2.2 or later, or apply the vendor supplied
patch if running JIRA version 4.1.2.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED11 / SLES11 Security Update : xorg-x11-libX11 (SUSE-SU-2015:1334-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

xorg-x11-libX11 was updated to fix one security issue.

This security issue was fixed :

- CVE-2013-7439: Multiple off-by-one errors in the (1)
MakeBigReq and (2) SetReqLen macros in
include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0
allowed remote attackers to have unspecified impact via
a crafted request, which triggered a buffer overflow
(bsc#927220).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/927220
https://www.suse.com/security/cve/CVE-2013-7439.html
http://www.nessus.org/u?2f807aa9

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4 :

zypper in -t patch sdksp4-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Software Development Kit 11-SP3 :

zypper in -t patch sdksp3-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Server for VMWare 11-SP3 :

zypper in -t patch slessp3-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Server 11-SP3 :

zypper in -t patch slessp3-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Server 11-SP2-LTSS :

zypper in -t patch slessp2-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Server 11-SP1-LTSS :

zypper in -t patch slessp1-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Desktop 11-SP4 :

zypper in -t patch sledsp4-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Desktop 11-SP3 :

zypper in -t patch sledsp3-xorg-x11-libX11-12014=1

SUSE Linux Enterprise Debuginfo 11-SP3 :

zypper in -t patch dbgsp3-xorg-x11-libX11-12014=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:1331-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

IBM Java was updated to 7.1-3.10 to fix several security issues.

The following vulnerabilities were fixed :

- CVE-2015-1931: IBM Java Security Components store plain
text data in memory dumps, which could allow a local
attacker to obtain information to aid in further attacks
against the system.

- CVE-2015-2590: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-2601: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2613: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java SE, Java SE Embedded
accessible data.

- CVE-2015-2619: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2621: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2625: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized read
access to a subset of Java accessible data.

- CVE-2015-2632: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2637: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2638: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-2664: Difficult to exploit vulnerability in the
Deployment component requiring logon to Operating
System. Successful attack of this vulnerability could
have resulted in unauthorized Operating System takeover
including arbitrary code execution.

- CVE-2015-2808: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java
accessible data.

- CVE-2015-4000: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java Embedded
accessible data.

- CVE-2015-4729: Very difficult to exploit vulnerability
in the Deployment component allowed successful
unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability could have
resulted in unauthorized update, insert or delete access
to some Java SE accessible data as well as read access
to a subset of Java SE accessible data.

- CVE-2015-4731: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4732: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4733: Easily exploitable vulnerability in the
RMI component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4748: Very difficult to exploit vulnerability
in the Security component allowed successful
unauthenticated network attacks via OCSP. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4749: Difficult to exploit vulnerability in the
JNDI component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized ability to cause a partial denial of
service (partial DOS).

- CVE-2015-4760: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/935540
https://bugzilla.suse.com/938895
https://www.suse.com/security/cve/CVE-2015-1931.html
https://www.suse.com/security/cve/CVE-2015-2590.html
https://www.suse.com/security/cve/CVE-2015-2601.html
https://www.suse.com/security/cve/CVE-2015-2613.html
https://www.suse.com/security/cve/CVE-2015-2619.html
https://www.suse.com/security/cve/CVE-2015-2621.html
https://www.suse.com/security/cve/CVE-2015-2625.html
https://www.suse.com/security/cve/CVE-2015-2632.html
https://www.suse.com/security/cve/CVE-2015-2637.html
https://www.suse.com/security/cve/CVE-2015-2638.html
https://www.suse.com/security/cve/CVE-2015-2664.html
https://www.suse.com/security/cve/CVE-2015-2808.html
https://www.suse.com/security/cve/CVE-2015-4000.html
https://www.suse.com/security/cve/CVE-2015-4729.html
https://www.suse.com/security/cve/CVE-2015-4731.html
https://www.suse.com/security/cve/CVE-2015-4732.html
https://www.suse.com/security/cve/CVE-2015-4733.html
https://www.suse.com/security/cve/CVE-2015-4748.html
https://www.suse.com/security/cve/CVE-2015-4749.html
https://www.suse.com/security/cve/CVE-2015-4760.html
http://www.nessus.org/u?d2b261d6

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2015-359=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2015-359=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 10.0
(CVSS2#E:ND/RL:ND/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:1329-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

IBM Java was updated to 7.1-3.10 to fix several security issues.

The following vulnerabilities were fixed :

- CVE-2015-1931: IBM Java Security Components store plain
text data in memory dumps, which could allow a local
attacker to obtain information to aid in further attacks
against the system.

- CVE-2015-2590: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-2601: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2613: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java SE, Java SE Embedded
accessible data.

- CVE-2015-2619: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2621: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2625: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized read
access to a subset of Java accessible data.

- CVE-2015-2632: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2637: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2638: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-2664: Difficult to exploit vulnerability in the
Deployment component requiring logon to Operating
System. Successful attack of this vulnerability could
have resulted in unauthorized Operating System takeover
including arbitrary code execution.

- CVE-2015-2808: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java
accessible data.

- CVE-2015-4000: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java Embedded
accessible data.

- CVE-2015-4729: Very difficult to exploit vulnerability
in the Deployment component allowed successful
unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability could have
resulted in unauthorized update, insert or delete access
to some Java SE accessible data as well as read access
to a subset of Java SE accessible data.

- CVE-2015-4731: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4732: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4733: Easily exploitable vulnerability in the
RMI component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4748: Very difficult to exploit vulnerability
in the Security component allowed successful
unauthenticated network attacks via OCSP. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4749: Difficult to exploit vulnerability in the
JNDI component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized ability to cause a partial denial of
service (partial DOS).

- CVE-2015-4760: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/935540
https://bugzilla.suse.com/938895
https://www.suse.com/security/cve/CVE-2015-1931.html
https://www.suse.com/security/cve/CVE-2015-2590.html
https://www.suse.com/security/cve/CVE-2015-2601.html
https://www.suse.com/security/cve/CVE-2015-2613.html
https://www.suse.com/security/cve/CVE-2015-2619.html
https://www.suse.com/security/cve/CVE-2015-2621.html
https://www.suse.com/security/cve/CVE-2015-2625.html
https://www.suse.com/security/cve/CVE-2015-2632.html
https://www.suse.com/security/cve/CVE-2015-2637.html
https://www.suse.com/security/cve/CVE-2015-2638.html
https://www.suse.com/security/cve/CVE-2015-2664.html
https://www.suse.com/security/cve/CVE-2015-2808.html
https://www.suse.com/security/cve/CVE-2015-4000.html
https://www.suse.com/security/cve/CVE-2015-4729.html
https://www.suse.com/security/cve/CVE-2015-4731.html
https://www.suse.com/security/cve/CVE-2015-4732.html
https://www.suse.com/security/cve/CVE-2015-4733.html
https://www.suse.com/security/cve/CVE-2015-4748.html
https://www.suse.com/security/cve/CVE-2015-4749.html
https://www.suse.com/security/cve/CVE-2015-4760.html
http://www.nessus.org/u?7a25794f

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4 :

zypper in -t patch sdksp4-java-1_7_1-ibm-12013=1

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-java-1_7_1-ibm-12013=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 10.0
(CVSS2#E:ND/RL:ND/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and
RMI components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590,
CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK
verified Online Certificate Status Protocol (OCSP) responses. An OCSP
response with no nextUpdate date specified was incorrectly handled as
having unlimited validity, possibly causing a revoked X.509
certificate to be interpreted as valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use
constant time comparisons in multiple cases. An attacker could
possibly use these flaws to disclose sensitive information by
measuring the time used to perform operations using these non-constant
time comparisons. (CVE-2015-2601)

A flaw was found in the RC4 encryption algorithm. When using certain
keys for RC4 encryption, an attacker could obtain portions of the
plain text from the cipher text without the knowledge of the
encryption key. (CVE-2015-2808)

A flaw was found in the way the TLS protocol composed the
Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could
use this flaw to force the use of weak 512 bit export-grade keys
during the key exchange, allowing them to decrypt all traffic.
(CVE-2015-4000)

It was discovered that the JNDI component in OpenJDK did not handle
DNS resolutions correctly. An attacker able to trigger such DNS errors
could cause a Java application using JNDI to consume memory and CPU
time, and possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D
components in OpenJDK. An untrusted Java application or applet could
use this flaw to bypass certain Java sandbox restrictions.
(CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed
X.509 certificate identity verification when establishing a TLS/SSL
connection to a host identified by an IP address. In certain cases,
the certificate was accepted as valid if it was issued for a host name
to which the IP address resolves rather than for the IP address.
(CVE-2015-2625)

All running instances of OpenJDK Java must be restarted for the update
to take effect.

See also :

http://www.nessus.org/u?fcae96fb

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : bind on SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way BIND handled requests for TKEY DNS
resource records. A remote attacker could use this flaw to make named
(functioning as an authoritative DNS server or a DNS resolver) exit
unexpectedly with an assertion failure via a specially crafted DNS
request packet. (CVE-2015-5477)

After installing the update, the BIND daemon (named) will be restarted
automatically.

See also :

http://www.nessus.org/u?845b8c70

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : libuser on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Two flaws were found in the way the libuser library handled the
/etc/passwd file. A local attacker could use an application compiled
against libuser (for example, userhelper) to manipulate the
/etc/passwd file, which could result in a denial of service or
possibly allow the attacker to escalate their privileges to root.
(CVE-2015-3245, CVE-2015-3246)

See also :

http://www.nessus.org/u?c413a37e

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : wpa_supplicant on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

An integer underflow flaw, leading to a buffer over-read, was found in
the way wpa_supplicant handled WMM Action frames. A specially crafted
frame could possibly allow an attacker within Wi-Fi radio range to
cause wpa_supplicant to crash. (CVE-2015-4142)

This update includes the following enhancement :

- Prior to this update, wpa_supplicant did not provide a
way to require the host name to be listed in an X.509
certificate's Common Name or Subject Alternative Name,
and only allowed host name suffix or subject substring
checks. This update introduces a new configuration
directive, 'domain_match', which adds a full host name
check.

After installing this update, the wpa_supplicant service will be
restarted automatically.

See also :

http://www.nessus.org/u?60eeddf1

Solution :

Update the affected wpa_supplicant and / or wpa_supplicant-debuginfo
packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : wireshark on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Several denial of service flaws were found in Wireshark. Wireshark
could crash or stop responding if it read a malformed packet off a
network, or opened a malicious dump file. (CVE-2014-8714,
CVE-2014-8712, CVE-2014-8713, CVE-2014-8711, CVE-2014-8710,
CVE-2015-0562, CVE-2015-0564, CVE-2015-2189, CVE-2015-2191)

This update also fixes the following bugs :

- Previously, the Wireshark tool did not support Advanced
Encryption Standard Galois/Counter Mode (AES-GCM)
cryptographic algorithm. As a consequence, AES-GCM was
not decrypted. Support for AES-GCM has been added to
Wireshark, and AES-GCM is now correctly decrypted.

- Previously, when installing the system using the
kickstart method, a dependency on the shadow-utils
packages was missing from the wireshark packages, which
could cause the installation to fail with a 'bad
scriptlet' error message. With this update, shadow-utils
are listed as required in the wireshark packages spec
file, and kickstart installation no longer fails.

- Prior to this update, the Wireshark tool could not
decode types of elliptic curves in Datagram Transport
Layer Security (DTLS) Client Hello. Consequently,
Wireshark incorrectly displayed elliptic curves types as
data. A patch has been applied to address this bug, and
Wireshark now decodes elliptic curves types properly.

- Previously, a dependency on the gtk2 packages was
missing from the wireshark packages. As a consequence,
the Wireshark tool failed to start under certain
circumstances due to an unresolved symbol,
'gtk_combo_box_text_new_with_entry', which was added in
gtk version 2.24. With this update, a dependency on gtk2
has been added, and Wireshark now always starts as
expected.

In addition, this update adds the following enhancements :

- With this update, the Wireshark tool supports process
substitution, which feeds the output of a process (or
processes) into the standard input of another process
using the '<(command_list)' syntax. When using process
substitution with large files as input, Wireshark failed
to decode such input.

- Wireshark has been enhanced to enable capturing packets
with nanosecond time stamp precision, which allows
better analysis of recorded network traffic.

All running instances of Wireshark must be restarted for the update to
take effect.

See also :

http://www.nessus.org/u?9ca48ac4

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : sudo on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was discovered that sudo did not perform any checks of the TZ
environment variable value. If sudo was configured to preserve the TZ
environment variable, a local user with privileges to execute commands
via sudo could possibly use this flaw to achieve system state changes
not permitted by the configured commands. (CVE-2014-9680)

Note: The default sudoers configuration in Scientific Linux 6 removes
the TZ variable from the environment in which commands run by sudo are
executed.

This update also fixes the following bugs :

- Previously, the sudo utility child processes could
sometimes become unresponsive because they ignored the
SIGPIPE signal. With this update, SIGPIPE handler is
properly restored in the function that reads passwords
from the user, and the child processes no longer ignore
SIGPIPE. As a result, sudo child processes do not hang
in this situation.

- Prior to this update, the order in which sudo rules were
processed did not honor the user-defined sudoOrder
attribute. Consequently, sudo rules were processed in an
undefined order even when the user defined the order in
sudoOrder. The implementation of SSSD support in sudo
has been modified to sort the rules according to the
sudoOrder value, and sudo rules are now sorted in the
order defined by the user in sudoOrder.

- Previously, sudo became unresponsive after the user
issued a command when a sudoers source was mentioned
multiple times in the /etc/nsswitch.conf file. The
problem occurred when nsswitch.conf contained, for
example, the 'sudoers: files sss sss' entry. The sudoers
source processing code has been fixed to correctly
handle multiple instances of the same sudoers source. As
a result, sudo no longer hangs when a sudoers source is
mentioned multiple times in /etc/nsswitch.conf.

In addition, this update adds the following enhancement :

- The sudo utility now supports I/O logs compressed using
the zlib library. With this update, sudo can generate
zlib compressed I/O logs and also process zlib
compressed I/O logs generated by other versions of sudo
with zlib support.

See also :

http://www.nessus.org/u?273aa3f3

Solution :

Update the affected sudo, sudo-debuginfo and / or sudo-devel packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : python on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was discovered that the socket.recvfrom_into() function failed to
check the size of the supplied buffer. This could lead to a buffer
overflow when the function was called with an insufficiently sized
buffer. (CVE-2014-1912)

It was discovered that multiple Python standard library modules
implementing network protocols (such as httplib or smtplib) failed to
restrict the sizes of server responses. A malicious server could cause
a client using one of the affected modules to consume an excessive
amount of memory. (CVE-2013-1752)

It was discovered that the CGIHTTPServer module incorrectly handled
URL encoded paths. A remote attacker could use this flaw to execute
scripts outside of the cgi-bin directory, or disclose the source code
of the scripts in the cgi-bin directory. (CVE-2014-4650)

An integer overflow flaw was found in the way the buffer() function
handled its offset and size arguments. An attacker able to control
these arguments could use this flaw to disclose portions of the
application memory or cause it to crash. (CVE-2014-7185)

See also :

http://www.nessus.org/u?aebee312

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : pki-core on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Multiple cross-site scripting flaws were discovered in the Red Hat
Certificate System Agent and End Entity pages. An attacker could use
these flaws to perform a cross-site scripting (XSS) attack against
victims using the Certificate System's web interface. (CVE-2012-2662)

This update also fixes the following bugs :

- Previously, pki-core required the SSL version 3 (SSLv3)
protocol ranges to communicate with the 389-ds-base
packages. However, recent changes to 389-ds-base
disabled the default use of SSLv3 and enforced using
protocol ranges supported by secure protocols, such as
the TLS protocol. As a consequence, the CA failed to
install during an Identity Management (IdM) server
installation. This update adds TLS-related parameters to
the server.xml file of the CA to fix this problem, and
running the ipa-server- install command now installs the
CA as expected.

- Previously, the ipa-server-install script failed when
attempting to configure a stand-alone CA on systems with
OpenJDK version 1.8.0 installed. The pki-core build and
runtime dependencies have been modified to use OpenJDK
version 1.7.0 during the stand-alone CA configuration.
As a result, ipa-server-install no longer fails in this
situation.

- Creating a Scientific Linux 7 replica from a Scientific
Linux 6 replica running the CA service sometimes failed
in IdM deployments where the initial Scientific Linux 6
CA master had been removed. This could cause problems in
some situations, such as when migrating from Scientific
Linux 6 to Scientific Linux 7. The bug occurred due to a
problem in a previous version of IdM where the subsystem
user, created during the initial CA server installation,
was removed together with the initial master. This
update adds the restore-subsystem-user.py script that
restores the subsystem user in the described situation,
thus enabling administrators to create a Scientific
Linux 7 replica in this scenario.

- Several Java import statements specify wildcard
arguments. However, due to the use of wildcard arguments
in the import statements of the source code contained in
the Scientific Linux 6 maintenance branch, a name space
collision created the potential for an incorrect class
to be utilized. As a consequence, the Token Processing
System (TPS) rebuild test failed with an error message.
This update addresses the bug by supplying the fully
named class in all of the affected areas, and the TPS
rebuild test no longer fails.

- Previously, pki-core failed to build with the rebased
version of the CMake build system during the TPS rebuild
test. The pki-core build files have been updated to
comply with the rebased version of CMake. As a result,
pki-core builds successfully in the described scenario.

See also :

http://www.nessus.org/u?9f3a87c1

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : pacemaker on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way pacemaker, a cluster resource manager,
evaluated added nodes in certain situations. A user with read-only
access could potentially assign any other existing roles to themselves
and then add privileges to other users as well. (CVE-2015-1867)

This update also fixes the following bugs :

- Due to a race condition, nodes that gracefully shut down
occasionally had difficulty rejoining the cluster. As a
consequence, nodes could come online and be shut down
again immediately by the cluster. This bug has been
fixed, and the 'shutdown' attribute is now cleared
properly.

- Prior to this update, the pacemaker utility caused an
unexpected termination of the attrd daemon after a
system update to Scientific Linux 6.6. The bug has been
fixed so that attrd no longer crashes when pacemaker
starts.

- Previously, the access control list (ACL) of the
pacemaker utility allowed a role assignment to the
Cluster Information Base (CIB) with a read-only
permission. With this update, ACL is enforced and can no
longer be bypassed by the user without the write
permission, thus fixing this bug.

- Prior to this update, the ClusterMon (crm_mon) utility
did not trigger an external agent script with the '-E'
parameter to monitor the Cluster Information Base (CIB)
when the pacemaker utility was used. A patch has been
provided to fix this bug, and crm_mon now calls the
agent script when the '-E' parameter is used.

See also :

http://www.nessus.org/u?1ad424cc

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : ntp on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that because NTP's access control was based on a source
IP address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298)

A denial of service flaw was found in the way NTP hosts that were
peering with each other authenticated themselves before updating their
internal state variables. An attacker could send packets to one peer
host, which could cascade to other peers, and stop the synchronization
process among the reached peers. (CVE-2015-1799)

A flaw was found in the way the ntp-keygen utility generated MD5
symmetric keys on big-endian systems. An attacker could possibly use
this flaw to guess generated MD5 keys, which could then be used to
spoof an NTP client or server. (CVE-2015-3405)

A stack-based buffer overflow was found in the way the NTP autokey
protocol was implemented. When an NTP client decrypted a secret
received from an NTP server, it could cause that client to crash.
(CVE-2014-9297)

It was found that ntpd did not check whether a Message Authentication
Code (MAC) was present in a received packet when ntpd was configured
to use symmetric cryptographic keys. A man-in-the-middle attacker
could use this flaw to send crafted packets that would be accepted by
a client or a peer without the attacker knowing the symmetric key.
(CVE-2015-1798)

The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvr of Red Hat.

Bug fixes :

- The ntpd daemon truncated symmetric keys specified in
the key file to 20 bytes. As a consequence, it was
impossible to configure NTP authentication to work with
peers that use longer keys. The maximum length of keys
has now been changed to 32 bytes.

- The ntp-keygen utility used the exponent of 3 when
generating RSA keys, and generating RSA keys failed when
FIPS mode was enabled. ntp-keygen has been modified to
use the exponent of 65537, and generating keys in FIPS
mode now works as expected.

- The ntpd daemon included a root delay when calculating
its root dispersion. Consequently, the NTP server
reported larger root dispersion than it should have and
clients could reject the source when its distance
reached the maximum synchronization distance (1.5
seconds by default). Calculation of root dispersion has
been fixed, the root dispersion is now reported
correctly, and clients no longer reject the server due
to a large synchronization distance.

- The ntpd daemon dropped incoming NTP packets if their
source port was lower than 123 (the NTP port). Clients
behind Network Address Translation (NAT) were unable to
synchronize with the server if their source port was
translated to ports below 123. With this update, ntpd no
longer checks the source port number.

Enhancements :

- This update introduces configurable access of memory
segments used for Shared Memory Driver (SHM) reference
clocks. Previously, only the first two memory segments
were created with owner-only access, allowing just two
SHM reference clocks to be used securely on a system.
Now, the owner-only access to SHM is configurable with
the 'mode' option, and it is therefore possible to use
more SHM reference clocks securely.

- Support for nanosecond resolution has been added to the
SHM reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as
a time source to synchronize the system clock (for
example, with the timemaster service from the linuxptp
package), the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM
protocol. The nanosecond extension in the SHM protocol
now enables sub-microsecond synchronization of the
system clock.

See also :

http://www.nessus.org/u?d7d15e8b

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : net-snmp on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A denial of service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the '-OQ' option. If an attacker
sent an SNMP trap containing a variable with a NULL type where an
integer variable type was expected, it would cause snmptrapd to crash.
(CVE-2014-3565)

This update also fixes the following bugs :

- The HOST-RESOURCES-MIB::hrSystemProcesses object was not
implemented because parts of the HOST-RESOURCES-MIB
module were rewritten in an earlier version of net-snmp.
Consequently, HOST-RESOURCES- MIB::hrSystemProcesses did
not provide information on the number of currently
loaded or running processes. With this update,
HOST-RESOURCES- MIB::hrSystemProcesses has been
implemented, and the net-snmp daemon reports as
expected.

- The Net-SNMP agent daemon, snmpd, reloaded the system
ARP table every 60 seconds. As a consequence, snmpd
could cause a short CPU usage spike on busy systems with
a large APR table. With this update, snmpd does not
reload the full ARP table periodically, but monitors the
table changes using a netlink socket.

- Previously, snmpd used an invalid pointer to the current
time when periodically checking certain conditions
specified by the 'monitor' option in the
/etc/snmpd/snmpd.conf file. Consequently, snmpd
terminated unexpectedly on start with a segmentation
fault if a certain entry with the 'monitor' option was
used. Now, snmpd initializes the correct pointer to the
current time, and snmpd no longer crashes on start.

- Previously, snmpd expected 8-bit network interface
indices when processing
HOST-RESOURCES-MIB::hrDeviceTable. If an interface index
of a local network interface was larger than 30,000
items, snmpd could terminate unexpectedly due to
accessing invalid memory. Now, processing of all network
sizes is enabled, and snmpd no longer crashes in the
described situation.

- The snmpdtrapd service incorrectly checked for errors
when forwarding a trap with a RequestID value of 0, and
logged 'Forward failed' even though the trap was
successfully forwarded. This update fixes snmptrapd
checks and the aforementioned message is now logged only
when appropriate.

- Previously, snmpd ignored the value of the
'storageUseNFS' option in the /etc/snmpd/snmpd.conf
file. As a consequence, NFS drivers were shown as
'Network Disks', even though 'storageUseNFS' was set to
'2' to report them as 'Fixed Disks' in
HOST-RESOURCES-MIB::hrStorageTable. With this update,
snmpd takes the 'storageUseNFS' option value into
account, and 'Fixed Disks' NFS drives are reported
correctly.

- Previously, the Net-SNMP python binding used an
incorrect size (8 bytes instead of 4) for variables of
IPADDRESS type. Consequently, applications that were
using Net-SNMP Python bindings could send malformed SNMP
messages. With this update, the bindings now use 4 bytes
for variables with IPADRESS type, and only valid SNMP
messages are sent.

- Previously, the snmpd service did not cut values in
HOST-RESOURCES- MIB::hrStorageTable to signed 32-bit
integers, as required by SNMP standards, and provided
the values as unsigned integers. As a consequence, the
HOST-RESOURCES-MIB::hrStorageTable implementation did
not conform to RFC 2790. The values are now cut to
32-bit signed integers, and snmpd is therefore standard
compliant.

See also :

http://www.nessus.org/u?2950b693

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : mailman on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that mailman did not sanitize the list name before
passing it to certain MTAs. A local attacker could use this flaw to
execute arbitrary code as the user running mailman. (CVE-2015-2775)

It was found that mailman stored private email messages in a world-
readable directory. A local user could use this flaw to read private
mailing list archives. (CVE-2002-0389)

This update also fixes the following bugs :

- Previously, it was impossible to configure Mailman in a
way that Domain- based Message Authentication, Reporting
&
Conformance (DMARC) would recognize Sender
alignment for Domain Key Identified Mail (DKIM)
signatures. Consequently, Mailman list subscribers that
belonged to a mail server with a 'reject' policy for
DMARC, such as yahoo.com or AOL.com, were unable to
receive Mailman forwarded messages from senders residing
in any domain that provided DKIM signatures. With this
update, domains with a 'reject' DMARC policy are
recognized correctly, and Mailman list administrators
are able to configure the way these messages are
handled. As a result, after a proper configuration,
subscribers now correctly receive Mailman forwarded
messages in this scenario.

- Mailman used a console encoding when generating a
subject for a 'welcome email' when new mailing lists
were created by the 'newlist' command. Consequently,
when the console encoding did not match the encoding
used by Mailman for that particular language, characters
in the 'welcome email' could be displayed incorrectly.
Mailman has been fixed to use the correct encoding, and
characters in the 'welcome email' are now displayed
properly.

- The 'rmlist' command used a hard-coded path to list data
based on the VAR_PREFIX configuration variable. As a
consequence, when the list was created outside of
VAR_PREFIX, it was impossible to remove it using the
'rmlist' command. With this update, the 'rmlist' command
uses the correct LIST_DATA_DIR value instead of
VAR_PREFIX, and it is now possible to remove the list in
described situation.

- Due to an incompatibility between Python and Mailman in
Scientific Linux 6, when moderators were approving a
moderated message to a mailing list and checked the
'Preserve messages for the site administrator' checkbox,
Mailman failed to approve the message and returned an
error. This incompatibility has been fixed, and Mailman
now approves messages as expected in this scenario.

- When Mailman was set to not archive a list but the
archive was not set to private, attachments sent to that
list were placed in a public archive. Consequently,
users of Mailman web interface could list private
attachments because httpd configuration of public
archive directory allows listing all files in the
archive directory. The httpd configuration of Mailman
has been fixed to not allow listing of private archive
directory, and users of Mailman web interface are no
longer able to list private attachments.

See also :

http://www.nessus.org/u?6ff12003

Solution :

Update the affected mailman and / or mailman-debuginfo packages.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : libxml2 on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A denial of service flaw was found in the way the libxml2 library
parsed certain XML files. An attacker could provide a specially
crafted XML file that, when parsed by an application using libxml2,
could cause that application to use an excessive amount of memory.
(CVE-2015-1819)

This issue was discovered by Florian Weimer of Red Hat Product
Security.

This update also fixes the following bug :

This update fixes an error that occurred when running a test case for
the serialization of HTML documents.

The desktop must be restarted (log out, then log back in) for this
update to take effect.

See also :

http://www.nessus.org/u?e3135ee7

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : libreoffice on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way the LibreOffice HWP (Hangul Word
Processor) file filter processed certain HWP documents. An attacker
able to trick a user into opening a specially crafted HWP document
could possibly use this flaw to execute arbitrary code with the
privileges of the user opening that document. (CVE-2015-1774)

The libreoffice packages have been upgraded to upstream version
4.2.8.2, which provides a number of bug fixes and enhancements over
the previous version, including :

- OpenXML interoperability has been improved.

- This update adds additional statistics functions to the
Calc application, thus improving interoperability with
Microsoft Excel and its 'Analysis ToolPak' add-in.

- Various performance improvements have been implemented
in Calc.

- This update adds new import filters for importing files
from the Appple Keynote and Abiword applications.

- The export filter for the MathML markup language has
been improved.

- This update adds a new start screen that includes
thumbnails of recently opened documents.

- A visual clue is now displayed in the Slide Sorter
window for slides with transitions or animations.

- This update improves trend lines in charts.

- LibreOffice now supports BCP 47 language tags.

See also :

http://www.nessus.org/u?ac00fa05

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : kernel on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

* A flaw was found in the way Linux kernel's Transparent Huge Pages
(THP) implementation handled non-huge page migration. A local,
unprivileged user could use this flaw to crash the kernel by migrating
transparent hugepages. (CVE-2014-3940, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's
eCryptfs implementation decoded encrypted file names. A local,
unprivileged user could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-9683,
Moderate)

* A race condition flaw was found between the chown and execve system
calls. When changing the owner of a setuid user binary to root, the
race condition could momentarily make the binary setuid root. A local,
unprivileged user could potentially use this flaw to escalate their
privileges on the system. (CVE-2015-3339, Moderate)

* Multiple out-of-bounds write flaws were found in the way the Cherry
Cymotion keyboard driver, KYE/Genius device drivers, Logitech device
drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote
control driver, and Sunplus wireless desktop driver handled HID
reports with an invalid report descriptor size. An attacker with
physical access to the system could use either of these flaws to write
data past an allocated memory buffer. (CVE-2014-3184, Low)

* An information leak flaw was found in the way the Linux kernel's
Advanced Linux Sound Architecture (ALSA) implementation handled access
of the user control's state. A local, privileged user could use this
flaw to leak kernel memory to user space. (CVE-2014-4652, Low)

* It was found that the espfix functionality could be bypassed by
installing a 16-bit RW data segment into GDT instead of LDT (which
espfix checks), and using that segment on the stack. A local,
unprivileged user could potentially use this flaw to leak kernel stack
addresses. (CVE-2014-8133, Low)

* An information leak flaw was found in the Linux kernel's IEEE 802.11
wireless networking implementation. When software encryption was used,
a remote attacker could use this flaw to leak up to 8 bytes of
plaintext. (CVE-2014-8709, Low)

* It was found that the Linux kernel KVM subsystem's sysenter
instruction emulation was not sufficient. An unprivileged guest user
could use this flaw to escalate their privileges by tricking the
hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the
guest OS did not initialize the SYSENTER model-specific registers
(MSRs). Note: Certified guest operating systems for Scientific Linux
with KVM do initialize the SYSENTER MSRs and are thus not vulnerable
to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low)

The system must be rebooted for this update to take effect.

See also :

http://www.nessus.org/u?5dcf96b0

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.2
(CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : ipa on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Note: The IdM version provided by this update no longer uses jQuery.

Bug fixes :

- The ipa-server-install, ipa-replica-install, and
ipa-client-install utilities are not supported on
machines running in FIPS-140 mode. Previously, IdM did
not warn users about this. Now, IdM does not allow
running the utilities in FIPS-140 mode, and displays an
explanatory message.

- If an Active Directory (AD) server was specified or
discovered automatically when running the
ipa-client-install utility, the utility produced a
traceback instead of informing the user that an IdM
server is expected in this situation. Now,
ipa-client-install detects the AD server and fails with
an explanatory message.

- When IdM servers were configured to require the TLS
protocol version 1.1 (TLSv1.1) or later in the httpd
server, the ipa utility failed. With this update,
running ipa works as expected with TLSv1.1 or later.

- In certain high-load environments, the Kerberos
authentication step of the IdM client installer can
fail. Previously, the entire client installation failed
in this situation. This update modifies ipa-client-
install to prefer the TCP protocol over the UDP protocol
and to retry the authentication attempt in case of
failure.

- If ipa-client-install updated or created the
/etc/nsswitch.conf file, the sudo utility could
terminate unexpectedly with a segmentation fault. Now,
ipa-client-install puts a new line character at the end
of nsswitch.conf if it modifies the last line of the
file, fixing this bug.

- The ipa-client-automount utility failed with the
'UNWILLING_TO_PERFORM' LDAP error when the
nsslapd-minssf Red Hat Directory Server configuration
parameter was set to '1'. This update modifies
ipa-client-automount to use encrypted connection for
LDAP searches by default, and the utility now finishes
successfully even with nsslapd-minssf specified.

- If installing an IdM server failed after the Certificate
Authority (CA) installation, the 'ipa-server-install
--uninstall' command did not perform a proper cleanup.
After the user issued 'ipa-server-install --uninstall'
and then attempted to install the server again, the
installation failed. Now, 'ipa-server-install
--uninstall' removes the CA-related files in the
described situation, and ipa-server-install no longer
fails with the mentioned error message.

- Running ipa-client-install added the 'sss' entry to the
sudoers line in nsswitch.conf even if 'sss' was already
configured and the entry was present in the file.
Duplicate 'sss' then caused sudo to become unresponsive.
Now, ipa-client-install no longer adds 'sss' if it is
already present in nsswitch.conf.

- After running ipa-client-install, it was not possible to
log in using SSH under certain circumstances. Now,
ipa-client-install no longer corrupts the sshd_config
file, and the sshd service can start as expected, and
logging in using SSH works in the described situation.

- An incorrect definition of the dc attribute in the
/usr/share/ipa/05rfc2247.ldif file caused bogus error
messages to be returned during migration. The attribute
has been fixed, but the bug persists if the
copy-schema-to-ca.py script was run on Scientific Linux
6.6 prior to running it on Scientific Linux 6.7. To work
around this problem, manually copy
/usr/share/ipa/schema/05rfc2247.ldif to /etc/dirsrv
/slapd-PKI-IPA/schema/ and restart IdM.

See also :

http://www.nessus.org/u?0c3be150

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : httpd on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could
use Trailer headers to set additional HTTP headers after header
processing was performed by other modules. This could, for example,
lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

This update also fixes the following bugs :

- The order of mod_proxy workers was not checked when
httpd configuration was reloaded. When mod_proxy workers
were removed, added, or their order was changed, their
parameters and scores could become mixed. The order of
mod_proxy workers has been made internally consistent
during configuration reload.

- The local host certificate created during firstboot
contained CA extensions, which caused the httpd service
to return warning messages. This has been addressed by
local host certificates being generated with the
'-extensions v3_req' option.

- The default mod_ssl configuration no longer enables
support for SSL cipher suites using the single DES,
IDEA, or SEED encryption algorithms.

- The apachectl script did not take into account the
HTTPD_LANG variable set in the /etc/sysconfig/httpd file
during graceful restarts. Consequently, httpd did not
use a changed value of HTTPD_LANG when the daemon was
restarted gracefully. The script has been fixed to
handle the HTTPD_LANG variable correctly.

- The mod_deflate module failed to check the original file
size while extracting files larger than 4 GB, making it
impossible to extract large files. Now, mod_deflate
checks the original file size properly according to
RFC1952, and it is able to decompress files larger than
4 GB.

- The httpd service did not check configuration before
restart. When a configuration contained an error, an
attempt to restart httpd gracefully failed. Now, httpd
checks configuration before restart and if the
configuration is in an inconsistent state, an error
message is printed, httpd is not stopped and a restart
is not performed.

- The SSL_CLIENT_VERIFY environment variable was
incorrectly handled when the 'SSLVerifyClient
optional_no_ca' and 'SSLSessionCache' options were used.
When an SSL session was resumed, the SSL_CLIENT_VERIFY
value was set to 'SUCCESS' instead of the previously set
'GENEROUS'. SSL_CLIENT_VERIFY is now correctly set to
GENEROUS in this scenario.

- The ab utility did not correctly handle situations when
an SSL connection was closed after some data had already
been read. As a consequence, ab did not work correctly
with SSL servers and printed 'SSL read failed' error
messages. With this update, ab works as expected with
HTTPS servers.

- When a client presented a revoked certificate, log
entries were created only at the debug level. The log
level of messages regarding a revoked certificate has
been increased to INFO, and administrators are now
properly informed of this situation.

In addition, this update adds the following enhancement :

- A mod_proxy worker can now be set into drain mode (N)
using the balancer-manager web interface or using the
httpd configuration file. A worker in drain mode accepts
only existing sticky sessions destined for itself and
ignores all other requests. The worker waits until all
clients currently connected to this worker complete
their work before the worker is stopped. As a result,
drain mode enables to perform maintenance on a worker
without affecting clients.

After installing the updated packages, the httpd service will be
restarted automatically.

See also :

http://www.nessus.org/u?68afd5cc

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : hivex on SL6.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that hivex attempted to read, and possibly write, beyond
its allocated buffer when reading a hive file with a very small size
or with a truncated or improperly formatted content. An attacker able
to supply a specially crafted hive file to an application using the
hivex library could possibly use this flaw to execute arbitrary code
with the privileges of the user running that application.
(CVE-2014-9273)

This update also fixes the following bug :

- The hivex(3) man page previously contained a
typographical error. This update fixes the typo.

See also :

http://www.nessus.org/u?4ca6c762

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : grep on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way grep parsed large lines of data. An attacker able to
trick a user into running grep on a specially crafted data file could
use this flaw to crash grep or, potentially, execute arbitrary code
with the privileges of the user running grep. (CVE-2012-5667)

A heap-based buffer overflow flaw was found in the way grep processed
certain pattern and text combinations. An attacker able to trick a
user into running grep on specially crafted input could use this flaw
to crash grep or, potentially, read from uninitialized memory.
(CVE-2015-1345)

The grep packages have been upgraded to upstream version 2.20, which
provides a number of bug fixes and enhancements over the previous
version. Notably, the speed of various operations has been improved
significantly. Now, the recursive grep utility uses the fts function
of the gnulib library for directory traversal, so that it can handle
much larger directories without reporting the 'File name too long'
error message, and it can operate faster when dealing with large
directory hierarchies.

This update also fixes the following bugs :

- Prior to this update, the \w and \W symbols were
inconsistently matched to the [:alnum:] character class.
Consequently, regular expressions that used \w and \W in
some cases had incorrect results. An upstream patch
which fixes the matching problem has been applied, and
\w is now matched to the [_[:alnum:]] character and \W
to the [^_[:alnum:]] character consistently.

- Previously, the '--fixed-regexp' command-line option was
not included in the grep(1) manual page. Consequently,
the manual page was inconsistent with the built-in help
of the grep utility. To fix this bug, grep(1) has been
updated to include a note informing the user that
'--fixed-regexp' is an obsolete option. Now, the
built-in help and manual page are consistent regarding
the '--fixed-regexp' option.

- Previously, the Perl Compatible Regular Expression
(PCRE) library did not work correctly when matching
non-UTF-8 text in UTF-8 mode. Consequently, an error
message about invalid UTF-8 byte sequence characters was
returned. To fix this bug, patches from upstream have
been applied to the PCRE library and the grep utility.
As a result, PCRE now skips non-UTF-8 characters as
non-matching text without returning any error message.

See also :

http://www.nessus.org/u?9c1cf3b5

Solution :

Update the affected grep and / or grep-debuginfo packages.

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : gnutls on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that GnuTLS did not check activation and expiration dates
of CA certificates. This could cause an application using GnuTLS to
incorrectly accept a certificate as valid when its issuing CA is
already expired. (CVE-2014-8155)

It was found that GnuTLS did not verify whether a hashing algorithm
listed in a signature matched the hashing algorithm listed in the
certificate. An attacker could create a certificate that used a
different hashing algorithm than it claimed, possibly causing GnuTLS
to use an insecure, disallowed hashing algorithm during certificate
verification. (CVE-2015-0282)

It was discovered that GnuTLS did not check if all sections of X.509
certificates indicate the same signature algorithm. This flaw, in
combination with a different flaw, could possibly lead to a bypass of
the certificate signature check. (CVE-2015-0294)

The CVE-2014-8155 issue was discovered by Marcel Kolaja of Red Hat.
The CVE-2015-0282 and CVE-2015-0294 issues were discovered by Nikos
Mavrogiannopoulos of the Red Hat Security Technologies Team.

This update also fixes the following bug :

- Previously, under certain circumstances, the certtool
utility could generate X.509 certificates which
contained a negative modulus. Consequently, such
certificates could have interoperation problems with the
software using them. The bug has been fixed, and
certtool no longer generates X.509 certificates
containing a negative modulus.

See also :

http://www.nessus.org/u?79c875b8

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : freeradius on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A stack-based buffer overflow was found in the way the FreeRADIUS
rlm_pap module handled long password hashes. An attacker able to make
radiusd process a malformed password hash could cause the daemon to
crash. (CVE-2014-2015)

The freeradius packages have been upgraded to upstream version 2.2.6,
which provides a number of bug fixes and enhancements over the
previous version, including :

- The number of dictionaries have been updated.

- This update implements several Extensible Authentication
Protocol (EAP) improvements.

- A number of new expansions have been added, including:
%{randstr:...}, %{hex:...}, %{sha1:...}, %{base64:...},
%{tobase64:...}, and %{base64tohex:...}.

- Hexadecimal numbers (0x...) are now supported in
%{expr:...} expansions.

- This update adds operator support to the rlm_python
module.

- The Dynamic Host Configuration Protocol (DHCP) and DHCP
relay code have been finalized.

- This update adds the rlm_cache module to cache arbitrary
attributes.

This update also fixes the following bugs :

- The /var/log/radius/radutmp file was configured to
rotate at one-month intervals, even though this was
unnecessary. This update removes /var/log/radius/radutmp
from the installed logrotate utility configuration in
the /etc/logrotate.d/radiusd file, and
/var/log/radius/radutmp is no longer rotated.

- The radiusd service could not write the output file
created by the raddebug utility. The raddebug utility
now sets appropriate ownership to the output file,
allowing radiusd to write the output.

- After starting raddebug using the 'raddebug -t 0'
command, raddebug exited immediately. A typo in the
special case comparison has been fixed, and raddebug now
runs for 11.5 days in this situation.

- MS-CHAP authentication failed when the User-Name and
MS-CHAP-User-Name attributes used different encodings,
even when the user provided correct credentials. Now,
MS-CHAP authentication properly handles mismatching
character encodings. Authentication with correct
credentials no longer fails in this situation.

- Automatically generated default certificates used the
SHA-1 algorithm message digest, which is considered
insecure. The default certificates now use the more
secure SHA-256 algorithm message digest.

- During the Online Certificate Status Protocol (OCSP)
validation, radiusd terminated unexpectedly with a
segmentation fault after attempting to access the next
update field that was not provided by the OCSP
responder. Now, radiusd does not crash in this situation
and instead continues to complete the OCSP validation.

- Prior to this update, radiusd failed to work with some
of the more recent MikroTIK attributes, because the
installed directory.mikrotik file did not include them.
This update adds MikroTIK attributes with IDs up to 22
to dictionary.mikrotik, and radiusd now works as
expected with these attributes.

After installing this update, the radiusd service will be restarted
automatically.

See also :

http://www.nessus.org/u?dda880e3

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : curl on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that the libcurl library did not correctly handle partial
literal IP addresses when parsing received HTTP cookies. An attacker
able to trick a user into connecting to a malicious server could use
this flaw to set the user's cookie to a crafted domain, making other
cookie-related issues easier to exploit. (CVE-2014-3613)

A flaw was found in the way the libcurl library performed the
duplication of connection handles. If an application set the
CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's
duplicate could cause the application to crash or disclose a portion
of its memory. (CVE-2014-3707)

It was discovered that the libcurl library failed to properly handle
URLs with embedded end-of-line characters. An attacker able to make an
application using libcurl to access a specially crafted URL via an
HTTP proxy could use this flaw to inject additional headers to the
request or construct additional requests. (CVE-2014-8150)

It was discovered that libcurl implemented aspects of the NTLM and
Negotatiate authentication incorrectly. If an application uses libcurl
and the affected mechanisms in a specifc way, certain requests to a
previously NTLM-authenticated server could appears as sent by the
wrong authenticated user. Additionally, the initial set of credentials
for HTTP Negotiate- authenticated requests could be reused in
subsequent requests, although a different set of credentials was
specified. (CVE-2015-3143, CVE-2015-3148)

Bug fixes :

- An out-of-protocol fallback to SSL version 3.0 (SSLv3.0)
was available with libcurl. Attackers could abuse the
fallback to force downgrade of the SSL version. The
fallback has been removed from libcurl. Users requiring
this functionality can explicitly enable SSLv3.0 through
the libcurl API.

- A single upload transfer through the FILE protocol
opened the destination file twice. If the inotify kernel
subsystem monitored the file, two events were produced
unnecessarily. The file is now opened only once per
upload.

- Utilities using libcurl for SCP/SFTP transfers could
terminate unexpectedly when the system was running in
FIPS mode.

- Using the '--retry' option with the curl utility could
cause curl to terminate unexpectedly with a segmentation
fault. Now, adding '--retry' no longer causes curl to
crash.

- The 'curl --trace-time' command did not use the correct
local time when printing timestamps. Now, 'curl
--trace-time' works as expected.

- The valgrind utility could report dynamically allocated
memory leaks on curl exit. Now, curl performs a global
shutdown of the NetScape Portable Runtime (NSPR) library
on exit, and valgrind no longer reports the memory
leaks.

- Previously, libcurl returned an incorrect value of the
CURLINFO_HEADER_SIZE field when a proxy server appended
its own headers to the HTTP response. Now, the returned
value is valid.

Enhancements :

- The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options
are available for specifying the minor version of the
TLS protocol to be negotiated by NSS. The '--tlsv1'
option now negotiates the highest version of the TLS
protocol supported by both the client and the server.

- It is now possible to explicitly enable or disable the
ECC and the new AES cipher suites to be used for TLS.

See also :

http://www.nessus.org/u?250707ed

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : bind on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way BIND performed DNSSEC validation. An
attacker able to make BIND (functioning as a DNS resolver with DNSSEC
validation enabled) resolve a name in an attacker-controlled domain
could cause named to exit unexpectedly with an assertion failure.
(CVE-2015-4620)

After installing the update, the BIND daemon (named) will be restarted
automatically.

See also :

http://www.nessus.org/u?ca08e71c

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.