Newest Plugins

Tenable Passive Vulnerability Scanner Installed (Mac OS X) (credentialed check)


Synopsis:

A vulnerability scanner is installed on the remote Mac OS X host.

Description:

Tenable Passive Vulnerability Scanner (PVS) is installed on the remote
Mac OS X host.

See also :

http://www.tenable.com/products/passive-vulnerability-scanner

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

BlackBerry <= 7.1 and 10.x < 10.3.1.1779 SSL/TLS EXPORT_RSA Ciphers Downgrade MitM (FREAK) (KB36811)


Synopsis:

The version of BlackBerry OS is affected by the FREAK vulnerability.

Description:

According to its version number, the BlackBerry OS installed on the
mobile device is the BlackBerry OS equal or prior to version 7.1, or
else it is the BlackBerry 10 OS prior to version 10.3.1.1779. It is,
therefore, affected by a security feature bypass vulnerability, known
as FREAK (Factoring attack on RSA-EXPORT Keys), due to the support of
weak EXPORT_RSA cipher suites with keys less than or equal to 512
bits. A man-in-the-middle attacker may be able to downgrade the
SSL/TLS connection to use EXPORT_RSA cipher suites which can be
factored in a short amount of time, allowing the attacker to intercept
and decrypt the traffic.

See also :

https://www.smacktls.com/#freak
http://www.blackberry.com/btsc/KB36811

Solution :

Upgrade to BlackBerry 10.3.1.1779 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

BlackBerry Enterprise Server SSL/TLS EXPORT_RSA Ciphers Downgrade MitM (FREAK) (KB36811)


Synopsis:

The remote Windows host has an application that is affected by the
FREAK vulnerability.

Description:

The version of BlackBerry Enterprise Server on the remote host is
affected by a security feature bypass vulnerability, known as FREAK
(Factoring attack on RSA-EXPORT Keys), due to the support of weak
EXPORT_RSA cipher suites with keys less than or equal to 512 bits.
A man-in-the-middle attacker may be able to downgrade the SSL/TLS
connection to use EXPORT_RSA cipher suites which can be factored in a
short amount of time, allowing the attacker to intercept and decrypt
the traffic.

See also :

https://www.smacktls.com/#freak
http://www.blackberry.com/btsc/KB36811

Solution :

Upgrade to version 10.2 MR5 and later with Interim Security Update
BES 12.1 for March 19, 2016, or to version 12.1 and later with Interim
Security Update BES 10.2.5 for March 19 2016

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : setroubleshoot on SL5.x, SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that setroubleshoot did not sanitize file names supplied
in a shell command look-up for RPMs associated with access violation
reports. An attacker could use this flaw to escalate their privileges
on the system by supplying a specially crafted file to the underlying
shell command. (CVE-2015-1815)

See also :

http://www.nessus.org/u?ecfe0c2f

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : ipa and slapi-nis on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

The ipa component provides centrally managed Identity, Policy, and
Audit. The slapi-nis component provides NIS Server and Schema
Compatibility plug- ins for Directory Server.

It was discovered that the IPA extdom Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for a list of groups for a user that belongs to
a large number of groups would cause a Directory Server to crash.
(CVE-2015-1827)

It was discovered that the slapi-nis Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for information about a group with many
members, or a request for a user that belongs to a large number of
groups, would cause a Directory Server to enter an infinite loop and
consume an excessive amount of CPU time. (CVE-2015-0283)

This update fixes the following bugs :

- Previously, users of IdM were not properly granted the
default permission to read the
'facsimiletelephonenumber' user attribute. This update
adds 'facsimiletelephonenumber' to the Access Control
Instruction (ACI) for user data, which makes the
attribute readable to authenticated users as expected.

- Prior to this update, when a DNS zone was saved in an
LDAP database without a dot character (.) at the end,
internal DNS commands and operations, such as
dnsrecord-* or dnszone-*, failed. With this update, DNS
commands always supply the DNS zone with a dot character
at the end, which prevents the described problem.

- After a full-server IdM restore operation, the restored
server in some cases contained invalid data. In
addition, if the restored server was used to
reinitialize a replica, the replica then contained
invalid data as well. To fix this problem, the IdM API
is now created correctly during the restore operation,
and *.ldif files are not skipped during the removal of
RUV data. As a result, the restored server and its
replica no longer contain invalid data.

- Previously, a deadlock in some cases occurred during an
IdM upgrade, which could cause the IdM server to become
unresponsive. With this update, the Schema Compatibility
plug-in has been adjusted not to parse the subtree that
contains the configuration of the DNA plug-in, which
prevents this deadlock from triggering.

- When using the extdom plug-in of IdM to handle large
groups, user lookups and group lookups previously failed
due to insufficient buffer size. With this update, the
getgrgid_r() call gradually increases the buffer length
if needed, and the described failure of extdom thus no
longer occurs.

See also :

http://www.nessus.org/u?68860c92

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 5 / 6 / 7 : setroubleshoot (RHSA-2015:0729)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated setroubleshoot packages that fix one security issue are now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The setroubleshoot packages provide tools to help diagnose SELinux
problems. When Access Vector Cache (AVC) messages are returned, an
alert can be generated that provides information about the problem and
helps to track its resolution.

It was found that setroubleshoot did not sanitize file names supplied
in a shell command look-up for RPMs associated with access violation
reports. An attacker could use this flaw to escalate their privileges
on the system by supplying a specially crafted file to the underlying
shell command. (CVE-2015-1815)

Red Hat would like to thank Sebastian Krahmer of the SUSE Security
Team for reporting this issue.

All setroubleshoot users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.

See also :

https://www.redhat.com/security/data/cve/CVE-2015-1815.html
http://rhn.redhat.com/errata/RHSA-2015-0729.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 7 : ipa and slapi-nis (RHSA-2015:0728)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated ipa and slapi-nis packages that fix two security issues and
several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat Identity Management is a centralized authentication, identity
management, and authorization solution for both traditional and
cloud-based enterprise environments. It integrates components of the
Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System,
NTP, and DNS. It provides web browser and command-line interfaces. Its
administration tools allow an administrator to quickly install, set
up, and administer a group of domain controllers to meet the
authentication and identity management requirements of large-scale
Linux and UNIX deployments.

The ipa component provides centrally managed Identity, Policy, and
Audit. The slapi-nis component provides NIS Server and Schema
Compatibility plug-ins for Directory Server.

It was discovered that the IPA extdom Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for a list of groups for a user that belongs to
a large number of groups would cause a Directory Server to crash.
(CVE-2015-1827)

It was discovered that the slapi-nis Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for information about a group with many
members, or a request for a user that belongs to a large number of
groups, would cause a Directory Server to enter an infinite loop and
consume an excessive amount of CPU time. (CVE-2015-0283)

These issues were discovered by Sumit Bose of Red Hat.

This update fixes the following bugs :

* Previously, users of IdM were not properly granted the default
permission to read the 'facsimiletelephonenumber' user attribute. This
update adds 'facsimiletelephonenumber' to the Access Control
Instruction (ACI) for user data, which makes the attribute readable to
authenticated users as expected. (BZ#1198430)

* Prior to this update, when a DNS zone was saved in an LDAP database
without a dot character (.) at the end, internal DNS commands and
operations, such as dnsrecord-* or dnszone-*, failed. With this
update, DNS commands always supply the DNS zone with a dot character
at the end, which prevents the described problem. (BZ#1198431)

* After a full-server IdM restore operation, the restored server in
some cases contained invalid data. In addition, if the restored server
was used to reinitialize a replica, the replica then contained invalid
data as well. To fix this problem, the IdM API is now created
correctly during the restore operation, and *.ldif files are not
skipped during the removal of RUV data. As a result, the restored
server and its replica no longer contain invalid data. (BZ#1199060)

* Previously, a deadlock in some cases occurred during an IdM upgrade,
which could cause the IdM server to become unresponsive. With this
update, the Schema Compatibility plug-in has been adjusted not to
parse the subtree that contains the configuration of the DNA plug-in,
which prevents this deadlock from triggering. (BZ#1199128)

* When using the extdom plug-in of IdM to handle large groups, user
lookups and group lookups previously failed due to insufficient buffer
size. With this update, the getgrgid_r() call gradually increases the
buffer length if needed, and the described failure of extdom thus no
longer occurs. (BZ#1203204)

Users of ipa and slapi-nis are advised to upgrade to these updated
packages, which correct these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2015-0283.html
https://www.redhat.com/security/data/cve/CVE-2015-1827.html
http://rhn.redhat.com/errata/RHSA-2015-0728.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 7 : kernel (RHSA-2015:0726)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated kernel packages that fix two security issues and several bugs
are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

* It was found that the Linux kernel's Infiniband subsystem did not
properly sanitize input parameters while registering memory regions
from user space via the (u)verbs API. A local user with access to a
/dev/infiniband/uverbsX device could use this flaw to crash the system
or, potentially, escalate their privileges on the system.
(CVE-2014-8159, Important)

* A use-after-free flaw was found in the way the Linux kernel's SCTP
implementation handled authentication key reference counting during
INIT collisions. A remote attacker could use this flaw to crash the
system or, potentially, escalate their privileges on the system.
(CVE-2015-1421, Important)

Red Hat would like to thank Mellanox for reporting the CVE-2014-8159
issue. The CVE-2015-1421 issue was discovered by Sun Baoliang of Red
Hat.

This update also fixes the following bugs :

* In certain systems with multiple CPUs, when a crash was triggered on
one CPU with an interrupt handler and this CPU sent Non-Maskable
Interrupt (NMI) to another CPU, and, at the same time, ioapic_lock had
already been acquired, a deadlock occurred in ioapic_lock. As a
consequence, the kdump service could become unresponsive. This bug has
been fixed and kdump now works as expected. (BZ#1197742)

* On Lenovo X1 Carbon 3rd Gen, X250, and T550 laptops, the
thinkpad_acpi module was not properly loaded, and thus the function
keys and radio switches did not work. This update applies a new string
pattern of BIOS version, which fixes this bug, and function keys and
radio switches now work as intended. (BZ#1197743)

* During a heavy file system load involving many worker threads, all
worker threads in the pool became blocked on a resource, and no
manager thread existed to create more workers. As a consequence, the
running processes became unresponsive. With this update, the logic
around manager creation has been changed to assure that the last
worker thread becomes a manager thread and does not start executing
work items. Now, a manager thread exists, spawns new workers as
needed, and processes no longer hang. (BZ#1197744)

* If a thin-pool's metadata enters read-only or fail mode, for
example, due to thin-pool running out of metadata or data space, any
attempt to make metadata changes such as creating a thin device or
snapshot thin device should error out cleanly. However, previously,
the kernel code returned verbose and alarming error messages to the
user. With this update, due to early trapping of attempt to make
metadata changes, informative errors are displayed, no longer
unnecessarily alarming the user. (BZ#1197745)

* When running Red Hat Enterprise Linux as a guest on Microsoft
Hyper-V hypervisor, the storvsc module did not return the correct
error code for the upper level Small Computer System Interface (SCSI)
subsystem. As a consequence, a SCSI command failed and storvsc did not
handle such a failure properly under some conditions, for example,
when RAID devices were created on top of storvsc devices. An upstream
patch has been applied to fix this bug, and storvsc now returns the
correct error code in the described situation. (BZ#1197749)

All kernel users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. The system
must be rebooted for this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-8159.html
https://www.redhat.com/security/data/cve/CVE-2015-1421.html
http://rhn.redhat.com/errata/RHSA-2015-0726.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Oracle Linux 5 / 6 / 7 : setroubleshoot (ELSA-2015-0729)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

[3.2.17-4.1.0.1]
- Add setroubleshoot-oracle-enterprise.patch to change bug reporting
URL to linux.oracle.com

[3.2.17-4.1]
- Fix get_rpm_nvr_*_temporary functions
Resolves:#1203352

See also :

https://oss.oracle.com/pipermail/el-errata/2015-March/004950.html
https://oss.oracle.com/pipermail/el-errata/2015-March/004934.html
https://oss.oracle.com/pipermail/el-errata/2015-March/004933.html

Solution :

Update the affected setroubleshoot packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Oracle Linux 7 : ipa / slapi-nis (ELSA-2015-0728)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

ipa
[4.1.0-18.0.1.el7_1.3]
- Replace login-screen-logo.png [20362818]
- Drop subscription-manager requires for OL7
- Drop redhat-access-plugin-ipa requires for OL7
- Blank out header-logo.png product-name.png

[4.1.0-18.3]
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
(SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)

[4.1.0-18.2]
- IPA extdom plugin fails when encountering large groups (#1193759)
- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and
getgrgid_r()
(#1202997)

[4.1.0-18.1]
- 'an internal error has occurred' during ipa host-del --updatedns
(#1198431)
- Renamed patch 1013 to 0114, as it was merged upstream
- Fax number not displayed for user-show when kinit'ed as normal user.
(#1198430)
- Replication agreement with replica not disabled when ipa-restore done
without
IPA installed (#1199060)
- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)

slapi-nis
[0.54-3]
- Fix CVE-2015-0283
- Resolves: #1202995

See also :

https://oss.oracle.com/pipermail/el-errata/2015-March/004951.html

Solution :

Update the affected ipa and / or slapi-nis packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Oracle Linux 7 : kernel (ELSA-2015-0726)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

[3.10.0-229.1.2.el7]
- Oracle Linux certificates (Alexey Petrenko)

[3.10.0-229.1.2.el7]
- [infiniband] core: Prevent integer overflow in ib_umem_get address
arithmetic (Doug Ledford) [1181177 1179347] {CVE-2014-8159}

[3.10.0-229.1.1.el7]
- [crypto] testmgr: mark rfc4106(gcm(aes)) as fips_allowed (Jarod
Wilson) [1197751 1185400]
- [virt] storvsc: ring buffer failures may result in I/O freeze (Vitaly
Kuznetsov) [1197749 1171409]
- [md] dm-thin: don't allow messages to be sent to a pool target in
READ_ONLY or FAIL mode (Mike Snitzer) [1197745 1184592]
- [kernel] workqueue: fix subtle pool management issue which can stall
whole worker_pool (Eric Sandeen) [1197744 1165535]
- [platform] thinkpad_acpi: support new BIOS version string pattern
(Benjamin Tissoires) [1197743 1194830]
- [x86] ioapic: kcrash: Prevent crash_kexec() from deadlocking on
ioapic_lock (Baoquan He) [1197742 1182424]
- [net] sctp: fix slab corruption from use after free on INIT collisions
(Daniel Borkmann) [1196588 1183959] {CVE-2015-1421}

See also :

https://oss.oracle.com/pipermail/el-errata/2015-March/004952.html

Solution :

Update the affected kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : django -- multiple vulnerabilities (62287f51-d43d-11e4-879c-00e0814cab4e)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Django project reports :

In accordance with our security release policy, the Django team is
issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1.
These releases are now available on PyPI and our download page. These
releases address several security issues detailed below. We encourage
all users of Django to upgrade as soon as possible. The Django master
branch has also been updated.

See also :

https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
http://www.nessus.org/u?1c265fe9

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : mingw-xerces-c-3.1.2-1.fc22 (2015-4272)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to xerces-c 3.1.2, fixing CVE-2015-0252.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1199103
http://www.nessus.org/u?324af1db

Solution :

Update the affected mingw-xerces-c package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : php-5.6.7-2.fc22 (2015-4255)


Synopsis:

The remote Fedora host is missing a security update.

Description:

**19 Mar 2015, PHP 5.6.7**

Core :

- Fixed bug #69174 (leaks when unused inner class use
traits precedence). (Laruence)

- Fixed bug #69139 (Crash in gc_zval_possible_root on
unserialize). (Laruence)

- Fixed bug #69121 (Segfault in get_current_user when
script owner is not in passwd with ZTS build). (dan at
syneto dot net)

- Fixed bug #65593 (Segfault when calling ob_start from
output buffering callback). (Mike)

- Fixed bug #68986 (pointer returned by
php_stream_fopen_temporary_file not validated in
memory.c). (nayana at ddproperty dot com)

- Fixed bug #68166 (Exception with invalid character
causes segv). (Rasmus)

- Fixed bug #69141 (Missing arguments in reflection info
for some builtin functions). (kostyantyn dot lysyy at
oracle dot com)

- Fixed bug #68976 (Use After Free Vulnerability in
unserialize()) (CVE-2015-0231). (Stas)

- Fixed bug #69134 (Per Directory Values overrides
PHP_INI_SYSTEM configuration options). (Anatol Belski)

- Fixed bug #69207 (move_uploaded_file allows nulls in
path). (Stas)

CGI :

- Fixed bug #69015 (php-cgi's getopt does not see $argv).
(Laruence)

CLI :

- Fixed bug #67741 (auto_prepend_file messes up __LINE__).
(Reeze Xia)

cURL :

- Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully
initialize cURL on Win32). (Grant Pannell)

- Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME
constants if supported by libcurl. (Linus Unneback)

Ereg :

- Fixed bug #69248 (heap overflow vulnerability in
regcomp.c) (CVE-2015-2305). (Stas)

FPM :

- Fixed bug #68822 (request time is reset too early).
(honghu069 at 163 dot com)

ODBC :

- Fixed bug #68964 (Allowed memory size exhausted with
odbc_exec). (Anatol)

Opcache :

- Fixed bug #69159 (Opcache causes problem when passing a
variable variable to a function). (Dmitry, Laruence)

- Fixed bug #69125 (Array numeric string as key).
(Laruence)

- Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
(Laruence)

OpenSSL :

- Fixed bug #68912 (Segmentation fault at
openssl_spki_new). (Laruence)

- Fixed bug #61285, #68329, #68046, #41631 (encrypted
streams don't observe socket timeouts). (Brad
Broerman)

- Fixed bug #68920 (use strict peer_fingerprint input
checks) (Daniel Lowrey)

- Fixed bug #68879 (IP Address fields in subjectAltNames
not used) (Daniel Lowrey)

- Fixed bug #68265 (SAN match fails with trailing DNS
dot) (Daniel Lowrey)

- Fixed bug #67403 (Add signatureType to
openssl_x509_parse) (Daniel Lowrey)

- Fixed bug (#69195 Inconsistent stream crypto values
across versions) (Daniel Lowrey)

pgsql :

- Fixed bug #68638 (pg_update() fails to store infinite
values). (william dot welter at 4linux dot com dot br,
Laruence)

Readline :

- Fixed bug #69054 (Null dereference in
readline_(read|write)_history() without parameters).
(Laruence)

SOAP :

- Fixed bug #69085 (SoapClient's __call() type confusion
through unserialize()). (andrea dot palazzo at truel dot
it, Laruence)

SPL :

- Fixed bug #69108 ('Segmentation fault' when
(de)serializing SplObjectStorage). (Laruence)

- Fixed bug #68557 (RecursiveDirectoryIterator::seek(0)
broken after calling getChildren()). (Julien)

ZIP :

- Fixed bug #69253 (ZIP Integer Overflow leads to writing
past heap boundary) (CVE-2015-2331). (Stas)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1204868
http://www.nessus.org/u?215d7f24

Solution :

Update the affected php package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : drupal7-7.35-1.fc22 (2015-4244)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- Upstream release notes:
https://www.drupal.org/drupal-7.35-release-notes

- Official security advisory:
https://www.drupal.org/SA-CORE-2015-001

See also :

https://www.drupal.org/SA-CORE-2015-001
https://www.drupal.org/drupal-7.35-release-notes
http://www.nessus.org/u?9bff899f

Solution :

Update the affected drupal7 package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : xerces-c-3.1.2-1.fc22 (2015-4226)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to xerces-c 3.1.2, fixing CVE-2015-0252.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1199103
http://www.nessus.org/u?d1904ba9

Solution :

Update the affected xerces-c package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : ettercap-0.8.2-1.fc20 (2015-4020)


Synopsis:

The remote Fedora host is missing a security update.

Description:

0.8.2-Ferri

Bug Fix !! Fixed some openssl deprecated functions usage !! Fixed log
file ownership !! Fixed mixed output print !! Fixed drop_privs
function usage !! Fixed nopromisc option usage. !! Fixed missing break
in parser code. !! Improved redirect commands !! Fix truncated VLAN
packet headers !! Fix ettercap.rc file (windows only) !! Various cmake
fixes !! A ton of BSD bug fixes !! Simplify macosx cmake files !! Fix
incorrect sequence number after TCP injection !! Fix pcap length, and
aligment problems with libpcap !! Bug fixes and gtk code refactor (gtk
box wrapper) !! Fix some ipv6 send issues !! Fixed sleep time on
Windows (high CPU usage) !! Fixed many CVE vulnerabilities (some of
them already fixed in 0.8.1)

- CVE-2014-6395 (Length Parameter Inconsistency)

- CVE-2014-6396 (Arbitrary write)

- CVE-2014-9376 (Negative index/underflow)

- CVE-2014-9377 (Heap overflow)

- CVE-2014-9378 (Unchecked return value)

- CVE-2014-9379 (Incorrect cast)

- CVE-2014-9380 (Buffer over-read)

- CVE-2014-9381 (Signedness error)

New Features + Updated etter.finger.mac + Add TXT and
ANY query support on dns_spoof + New macosx travis-ci
build! + Enable again PDF generation

Removed

- Remove gprof support

See also :

http://www.nessus.org/u?d3d744ed

Solution :

Update the affected ettercap package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : ettercap-0.8.2-1.fc21 (2015-3984)


Synopsis:

The remote Fedora host is missing a security update.

Description:

0.8.2-Ferri

Bug Fix !! Fixed some openssl deprecated functions usage !! Fixed log
file ownership !! Fixed mixed output print !! Fixed drop_privs
function usage !! Fixed nopromisc option usage. !! Fixed missing break
in parser code. !! Improved redirect commands !! Fix truncated VLAN
packet headers !! Fix ettercap.rc file (windows only) !! Various cmake
fixes !! A ton of BSD bug fixes !! Simplify macosx cmake files !! Fix
incorrect sequence number after TCP injection !! Fix pcap length, and
aligment problems with libpcap !! Bug fixes and gtk code refactor (gtk
box wrapper) !! Fix some ipv6 send issues !! Fixed sleep time on
Windows (high CPU usage) !! Fixed many CVE vulnerabilities (some of
them already fixed in 0.8.1)

- CVE-2014-6395 (Length Parameter Inconsistency)

- CVE-2014-6396 (Arbitrary write)

- CVE-2014-9376 (Negative index/underflow)

- CVE-2014-9377 (Heap overflow)

- CVE-2014-9378 (Unchecked return value)

- CVE-2014-9379 (Incorrect cast)

- CVE-2014-9380 (Buffer over-read)

- CVE-2014-9381 (Signedness error)

New Features + Updated etter.finger.mac + Add TXT and
ANY query support on dns_spoof + New macosx travis-ci
build! + Enable again PDF generation

Removed

- Remove gprof support

See also :

http://www.nessus.org/u?41cc9378

Solution :

Update the affected ettercap package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : nx-libs-3.5.0.29-1.fc20 (2015-3964)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to 3.5.0.29 :

- further reduction of code size by Mike Gabriel

- ~/.x2go/config/keystrokes.cfg,
/etc/x2go/keystrokes.cfg and
/etc/nxagent/keystrokes.cfg are now respected thanks
to Horst Schirmeier

- security fixes for CVE-2011-2895, CVE-2011-4028,
CVE-2013-4396, CVE-2013-6462, CVE-2014-0209,
CVE-2014-0210, CVE-2014-0211, CVE-2014-8092,
CVE-2014-8097, CVE-2014-8095, CVE-2014-8096,
CVE-2014-8099, CVE-2014-8100, CVE-2014-8102,
CVE-2014-8101, CVE-2014-8093, CVE-2014-8098,
CVE-2015-0255 by Michael DePaulo

- other (build) bug fixes

Update to 3.5.0.28: o Fix non-working Copy+Paste into some rootless Qt
applications when Xfixes extension is enabled in NX. Thanks to Ulrich
Sibiller! o Adapt X11 launchd socket path for recent Mac OS X
versions. o Fix Xinerama on Debian/Ubuntu installation (only worked on
systems that had dpkg-dev installed) and all RPM based distros. o
Partly make nxcomp aware of nx-libs's four-digit version string.
Thanks to Nito Martinez from TheQVD project!

- Fix unowned directories

- Minor cleanup

See also :

http://www.nessus.org/u?98af766f

Solution :

Update the affected nx-libs package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : nx-libs-3.5.0.29-1.fc21 (2015-3948)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to 3.5.0.29 :

- further reduction of code size by Mike Gabriel

- ~/.x2go/config/keystrokes.cfg,
/etc/x2go/keystrokes.cfg and
/etc/nxagent/keystrokes.cfg are now respected thanks
to Horst Schirmeier

- security fixes for CVE-2011-2895, CVE-2011-4028,
CVE-2013-4396, CVE-2013-6462, CVE-2014-0209,
CVE-2014-0210, CVE-2014-0211, CVE-2014-8092,
CVE-2014-8097, CVE-2014-8095, CVE-2014-8096,
CVE-2014-8099, CVE-2014-8100, CVE-2014-8102,
CVE-2014-8101, CVE-2014-8093, CVE-2014-8098,
CVE-2015-0255 by Michael DePaulo

- other (build) bug fixes

Update to 3.5.0.28: o Fix non-working Copy+Paste into some rootless Qt
applications when Xfixes extension is enabled in NX. Thanks to Ulrich
Sibiller! o Adapt X11 launchd socket path for recent Mac OS X
versions. o Fix Xinerama on Debian/Ubuntu installation (only worked on
systems that had dpkg-dev installed) and all RPM based distros. o
Partly make nxcomp aware of nx-libs's four-digit version string.
Thanks to Nito Martinez from TheQVD project!

- Fix unowned directories

- Minor cleanup

See also :

http://www.nessus.org/u?39a7deb6

Solution :

Update the affected nx-libs package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : dokuwiki-0-0.24.20140929c.fc20 (2015-3211)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes CVE-2015-2172

- There's a security hole in the ACL plugins remote API
component. The plugin failes to check for superuser
permissions before executing ACL addition or deletion.
This means everybody with permissions to call the XMLRPC
API also has permissions to set up their own ACL rules
and thus circumventing any existing rules. Update to the
2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

This update adds dokuwiki package to EPEL7

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1197822
http://www.nessus.org/u?325fb0ad

Solution :

Update the affected dokuwiki package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : dokuwiki-0-0.24.20140929c.fc21 (2015-3186)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes CVE-2015-2172

- There's a security hole in the ACL plugins remote API
component. The plugin failes to check for superuser
permissions before executing ACL addition or deletion.
This means everybody with permissions to call the XMLRPC
API also has permissions to set up their own ACL rules
and thus circumventing any existing rules. Update to the
2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

This update adds dokuwiki package to EPEL7

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1197822
http://www.nessus.org/u?80317846

Solution :

Update the affected dokuwiki package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : dokuwiki-0-0.24.20140929c.fc22 (2015-3079)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes CVE-2015-2172

- There's a security hole in the ACL plugins remote API
component. The plugin failes to check for superuser
permissions before executing ACL addition or deletion.
This means everybody with permissions to call the XMLRPC
API also has permissions to set up their own ACL rules
and thus circumventing any existing rules. Update to the
2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

Update to the 2014-09-29b release which contains various fixes,
notably :

Security :

- CVE-2014-9253 - XSS via SFW file upload

- CVE-2012-6662 - jquery-ui XSS vulnerability

Bugfixes :

- dokuwiki requires php-xml (RHBZ#1061477)

- wrong SELinux file context for writable
files/directories (RHBZ#1064524)

- drop httpd requirement (RHBZ#1164396)

This update adds dokuwiki package to EPEL7

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1197822
http://www.nessus.org/u?9f98f987

Solution :

Update the affected dokuwiki package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : drupal7-views-3.10-1.fc20 (2015-2104)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities:
https://www.drupal.org/node/2424403

- Release notes: https://www.drupal.org/node/2424103

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1192339
https://bugzilla.redhat.com/show_bug.cgi?id=1192961
https://www.drupal.org/node/2424103
https://www.drupal.org/node/2424403
http://www.nessus.org/u?8753c5df

Solution :

Update the affected drupal7-views package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : drupal7-views-3.10-1.fc21 (2015-2101)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities:
https://www.drupal.org/node/2424403

- Release notes: https://www.drupal.org/node/2424103

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1192339
https://bugzilla.redhat.com/show_bug.cgi?id=1192961
https://www.drupal.org/node/2424103
https://www.drupal.org/node/2424403
http://www.nessus.org/u?3d84f57f

Solution :

Update the affected drupal7-views package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

CentOS 5 / 6 : setroubleshoot (CESA-2015:0729)


Synopsis:

The remote CentOS host is missing one or more security updates.

Description:

Updated setroubleshoot packages that fix one security issue are now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The setroubleshoot packages provide tools to help diagnose SELinux
problems. When Access Vector Cache (AVC) messages are returned, an
alert can be generated that provides information about the problem and
helps to track its resolution.

It was found that setroubleshoot did not sanitize file names supplied
in a shell command look-up for RPMs associated with access violation
reports. An attacker could use this flaw to escalate their privileges
on the system by supplying a specially crafted file to the underlying
shell command. (CVE-2015-1815)

Red Hat would like to thank Sebastian Krahmer of the SUSE Security
Team for reporting this issue.

All setroubleshoot users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.

See also :

http://www.nessus.org/u?2200e512
http://www.nessus.org/u?65002692

Solution :

Update the affected setroubleshoot packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Mac OS X : Cisco AnyConnect Secure Mobility Client < 3.1(7021) <= 4.0(48) Multiple Vulnerabilities


Synopsis:

The remote host is affected by multiple vulnerabilities.

Description:

The remote Mac OS X host has a version of Cisco AnyConnect Secure
Mobility Client installed that is prior to 3.1.7021.0, or else it is a
version equal or prior to 4.0.0048.0. It is, therefore, affected by
multiple vulnerabilities in the OpenSSL library :

- The BIGNUM squaring (BN_sqr) implementation does not
properly calculate the square of a BIGNUM value. This
allows remote attackers to defeat cryptographic
protection mechanisms. (CVE-2014-3570)

- A NULL pointer dereference flaw exists with
dtls1_get_record when handling DTLS messages. A remote
attacker, using a specially crafted DTLS message, can
cause a denial of service. (CVE-2014-3571)

- A flaw exists when accepting non-DER variations of
certificate signature algorithms and signature encodings
due to a lack of enforcement of matches between signed
and unsigned portions. A remote attacker, by including
crafted data within a certificate's unsigned portion,
can bypass fingerprint-based certificate-blacklist
protection mechanisms. (CVE-2014-8275)

- A security feature bypass vulnerability, known as FREAK
(Factoring attack on RSA-EXPORT Keys), exists due to the
support of weak EXPORT_RSA cipher suites with keys less
than or equal to 512 bits. A man-in-the-middle attacker
may be able to downgrade the SSL/TLS connection to use
EXPORT_RSA cipher suites which can be factored in a
short amount of time, allowing the attacker to intercept
and decrypt the traffic. (CVE-2015-0204)

- A memory leak occurs in dtls1_buffer_record
when handling a saturation of DTLS records containing
the same number sequence but for the next epoch. This
allows a remote attacker to cause a denial of service.
(CVE-2015-0206)

See also :

http://www.nessus.org/u?bd646a4f

Solution :

Upgrade to Cisco AnyConnect Secure Mobility Client 3.1(7021) or
later, or refer to the vendor.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco AnyConnect Secure Mobility Client < 3.1(7021) / <= 4.0(48) Multiple Vulnerabilities


Synopsis:

The remote host is affected by multiple vulnerabilities.

Description:

The remote host has a version of Cisco AnyConnect Secure Mobility
Client installed that is prior to 3.1.7021.0, or else it is a version
equal or prior to 4.0.0048.0. It is, therefore, affected by multiple
vulnerabilities in the OpenSSL library :

- The BIGNUM squaring (BN_sqr) implementation does not
properly calculate the square of a BIGNUM value. This
allows remote attackers to defeat cryptographic
protection mechanisms. (CVE-2014-3570)

- A NULL pointer dereference flaw exists with
dtls1_get_record when handling DTLS messages. A remote
attacker, using a specially crafted DTLS message, can
cause a denial of service. (CVE-2014-3571)

- A flaw exists when accepting non-DER variations of
certificate signature algorithms and signature encodings
due to a lack of enforcement of matches between signed
and unsigned portions. A remote attacker, by including
crafted data within a certificate's unsigned portion,
can bypass fingerprint-based certificate-blacklist
protection mechanisms. (CVE-2014-8275)

- A security feature bypass vulnerability, known as FREAK
(Factoring attack on RSA-EXPORT Keys), exists due to the
support of weak EXPORT_RSA cipher suites with keys less
than or equal to 512 bits. A man-in-the-middle attacker
may be able to downgrade the SSL/TLS connection to use
EXPORT_RSA cipher suites which can be factored in a
short amount of time, allowing the attacker to intercept
and decrypt the traffic. (CVE-2015-0204)

- A memory leak occurs in dtls1_buffer_record
when handling a saturation of DTLS records containing
the same number sequence but for the next epoch. This
allows a remote attacker to cause a denial of service.
(CVE-2015-0206)

See also :

http://www.nessus.org/u?bd646a4f

Solution :

Upgrade to Cisco AnyConnect Secure Mobility Client 3.1(7021) or
later, or refer to the vendor.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Honeywell XL Web Controller FTP Directory Traversal


Synopsis:

The remote host is affected by a directory traversal vulnerability.

Description:

The remote host is a Honeywell XL Web SCADA controller that is running
a firmware version affected by a directory traversal vulnerability in
the FTP server. A remote, unauthenticated attacker can exploit this to
gain access to the web root directory.

See also :

https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02

Solution :

Contact the vendor for the latest available updates.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 : libarchive vulnerabilities (USN-2549-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

It was discovered that the libarchive bsdcpio utility extracted
absolute paths by default without using the --insecure flag, contrary
to expectations. If a user or automated system were tricked into
extracting cpio archives containing absolute paths, a remote attacker
may be able to write to arbitrary files. (CVE-2015-2304)

Fabian Yamaguchi discovered that libarchive incorrectly handled
certain type conversions. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
This issue only affected Ubuntu 12.04 LTS. (CVE-2013-0211).

Solution :

Update the affected bsdcpio, libarchive12 and / or libarchive13
packages.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ubuntu Security Notice (C) 2015 Canonical, Inc. / NASL script (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 : batik vulnerability (USN-2548-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Nicolas Gregoire and Kevin Schaller discovered that Batik would load
XML external entities by default. If a user or automated system were
tricked into opening a specially crafted SVG file, an attacker could
possibly obtain access to arbitrary files or cause resource
consumption.

Solution :

Update the affected libbatik-java package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ubuntu Security Notice (C) 2015 Canonical, Inc. / NASL script (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : openssl on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

An invalid pointer use flaw was found in OpenSSL's ASN1_TYPE_cmp()
function. A remote attacker could crash a TLS/SSL client or server
using OpenSSL via a specially crafted X.509 certificate when the
attacker- supplied certificate was verified by the application.
(CVE-2015-0286)

An integer underflow flaw, leading to a buffer overflow, was found in
the way OpenSSL decoded malformed Base64-encoded inputs. An attacker
able to make an application using OpenSSL decode a specially crafted
Base64-encoded input (such as a PEM file) could use this flaw to cause
the application to crash. Note: this flaw is not exploitable via the
TLS/SSL protocol because the data being transferred is not
Base64-encoded. (CVE-2015-0292)

A denial of service flaw was found in the way OpenSSL handled SSLv2
handshake messages. A remote attacker could use this flaw to cause a
TLS/SSL server using OpenSSL to exit on a failed assertion if it had
both the SSLv2 protocol and EXPORT-grade cipher suites enabled.
(CVE-2015-0293)

A use-after-free flaw was found in the way OpenSSL imported malformed
Elliptic Curve private keys. A specially crafted key file could cause
an application using OpenSSL to crash when imported. (CVE-2015-0209)

An out-of-bounds write flaw was found in the way OpenSSL reused
certain ASN.1 structures. A remote attacker could possibly use a
specially crafted ASN.1 structure that, when parsed by an application,
would cause that application to crash. (CVE-2015-0287)

A NULL pointer dereference flaw was found in OpenSSL's X.509
certificate handling implementation. A specially crafted X.509
certificate could cause an application using OpenSSL to crash if the
application attempted to convert the certificate to a certificate
request. (CVE-2015-0288)

A NULL pointer dereference was found in the way OpenSSL handled
certain PKCS#7 inputs. An attacker able to make an application using
OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input
could cause that application to crash. TLS/SSL clients and servers
using OpenSSL were not affected by this flaw. (CVE-2015-0289)

This update also fixes the following bug :

- When a wrapped Advanced Encryption Standard (AES) key
did not require any padding, it was incorrectly padded
with 8 bytes, which could lead to data corruption and
interoperability problems. With this update, the
rounding algorithm in the RFC 5649 key wrapping
implementation has been fixed. As a result, the wrapped
key conforms to the specification, which prevents the
described problems.

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.

See also :

http://www.nessus.org/u?eb7e257d

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : openssl on SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

An invalid pointer use flaw was found in OpenSSL's ASN1_TYPE_cmp()
function. A remote attacker could crash a TLS/SSL client or server
using OpenSSL via a specially crafted X.509 certificate when the
attacker- supplied certificate was verified by the application.
(CVE-2015-0286)

An integer underflow flaw, leading to a buffer overflow, was found in
the way OpenSSL decoded malformed Base64-encoded inputs. An attacker
able to make an application using OpenSSL decode a specially crafted
Base64-encoded input (such as a PEM file) could use this flaw to cause
the application to crash. Note: this flaw is not exploitable via the
TLS/SSL protocol because the data being transferred is not
Base64-encoded. (CVE-2015-0292)

A denial of service flaw was found in the way OpenSSL handled SSLv2
handshake messages. A remote attacker could use this flaw to cause a
TLS/SSL server using OpenSSL to exit on a failed assertion if it had
both the SSLv2 protocol and EXPORT-grade cipher suites enabled.
(CVE-2015-0293)

A use-after-free flaw was found in the way OpenSSL imported malformed
Elliptic Curve private keys. A specially crafted key file could cause
an application using OpenSSL to crash when imported. (CVE-2015-0209)

An out-of-bounds write flaw was found in the way OpenSSL reused
certain ASN.1 structures. A remote attacker could possibly use a
specially crafted ASN.1 structure that, when parsed by an application,
would cause that application to crash. (CVE-2015-0287)

A NULL pointer dereference flaw was found in OpenSSL's X.509
certificate handling implementation. A specially crafted X.509
certificate could cause an application using OpenSSL to crash if the
application attempted to convert the certificate to a certificate
request. (CVE-2015-0288)

A NULL pointer dereference was found in the way OpenSSL handled
certain PKCS#7 inputs. An attacker able to make an application using
OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input
could cause that application to crash. TLS/SSL clients and servers
using OpenSSL were not affected by this flaw. (CVE-2015-0289)

For the update to take effect, all services linked to the OpenSSL
library must be restarted, or the system rebooted.

See also :

http://www.nessus.org/u?6b312081

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Two flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox. (CVE-2015-0817, CVE-2015-0818)

After installing the update, Firefox must be restarted for the changes
to take effect.

See also :

http://www.nessus.org/u?522d76ad

Solution :

Update the affected firefox and / or firefox-debuginfo packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : unzip on SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A buffer overflow was found in the way unzip uncompressed certain
extra fields of a file. A specially crafted Zip archive could cause
unzip to crash or, possibly, execute arbitrary code when the archive
was tested with unzip's '-t' option. (CVE-2014-9636)

A buffer overflow flaw was found in the way unzip computed the CRC32
checksum of certain extra fields of a file. A specially crafted Zip
archive could cause unzip to crash when the archive was tested with
unzip's '-t' option. (CVE-2014-8139)

An integer underflow flaw, leading to a buffer overflow, was found in
the way unzip uncompressed certain extra fields of a file. A specially
crafted Zip archive could cause unzip to crash when the archive was
tested with unzip's '-t' option. (CVE-2014-8140)

A buffer overflow flaw was found in the way unzip handled Zip64 files.
A specially crafted Zip archive could possibly cause unzip to crash
when the archive was uncompressed. (CVE-2014-8141)

See also :

http://www.nessus.org/u?4a83adda

Solution :

Update the affected unzip and / or unzip-debuginfo packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : freetype on SL6.x, SL7.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Multiple integer overflow flaws and an integer signedness flaw,
leading to heap-based buffer overflows, were found in the way FreeType
handled Mac fonts. If a specially crafted font file was loaded by an
application linked against FreeType, it could cause the application to
crash or, potentially, execute arbitrary code with the privileges of
the user running the application. (CVE-2014-9673, CVE-2014-9674)

Multiple flaws were found in the way FreeType handled fonts in various
formats. If a specially crafted font file was loaded by an application
linked against FreeType, it could cause the application to crash or,
possibly, disclose a portion of the application memory.
(CVE-2014-9657, CVE-2014-9658, CVE-2014-9660, CVE-2014-9661,
CVE-2014-9663, CVE-2014-9664, CVE-2014-9667, CVE-2014-9669,
CVE-2014-9670, CVE-2014-9671, CVE-2014-9675)

The X server must be restarted (log out, then log back in) for this
update to take effect.

See also :

http://www.nessus.org/u?36c5cf70

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : virt-who on SL7.x (noarch)


Synopsis:

The remote Scientific Linux host is missing a security update.

Description:

It was discovered that the /etc/sysconfig/virt-who configuration file,
which may contain hypervisor authentication credentials, was world-
readable. A local user could use this flaw to obtain authentication
credentials from this file. (CVE-2014-0189)

The virt-who package has been upgraded to upstream version 0.11, which
provides a number of bug fixes and enhancements over the previous
version. The most notable bug fixes and enhancements include :

- Support for remote libvirt.

- A fix for using encrypted passwords.

- Bug fixes and enhancements that increase the stability
of virt-who.

This update also fixes the following bugs :

- Prior to this update, the virt-who agent failed to read
the list of virtual guests provided by the VDSM daemon.
As a consequence, when in VDSM mode, the virt-who agent
was not able to send updates about virtual guests to
Subscription Asset Manager (SAM) and Satellite. With
this update, the agent reads the list of guests when in
VDSM mode correctly and reports to SAM and Satellite as
expected.

- Previously, virt-who used incorrect information when
connecting to Satellite 5. Consequently, virt-who could
not connect to Satellite 5 servers. The incorrect
parameter has been corrected, and virt- who can now
successfully connect to Satellite 5.

- Prior to this update, virt-who did not decode the
hexadecimal representation of a password before
decrypting it. As a consequence, the decrypted password
did not match the original password, and attempts to
connect using the password failed. virt-who has been
updated to decode the encrypted password and, as a
result, virt-who now handles storing credentials using
encrypted passwords as expected.

In addition, this update adds the following enhancement :

- With this update, virt-who is able to read the list of
guests from a remote libvirt hypervisor.

See also :

http://www.nessus.org/u?3431e5ac

Solution :

Update the affected virt-who package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : qemu-kvm on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was found that the Cirrus blit region checks were insufficient. A
privileged guest user could use this flaw to write outside of VRAM-
allocated buffer boundaries in the host's QEMU process address space
with attacker-provided data. (CVE-2014-8106)

An uninitialized data structure use flaw was found in the way the
set_pixel_format() function sanitized the value of bits_per_pixel. An
attacker able to access a guest's VNC console could use this flaw to
crash the guest. (CVE-2014-7815)

It was found that certain values that were read when loading RAM
during migration were not validated. A user able to alter the savevm
data (either on the disk or over the wire during migration) could use
either of these flaws to corrupt QEMU process memory on the
(destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2014-7840)

A NULL pointer dereference flaw was found in the way QEMU handled UDP
packets with a source port and address of 0 when QEMU's user
networking was in use. A local guest user could use this flaw to crash
the guest. (CVE-2014-3640)

Bug fixes :

- The KVM utility executed demanding routing update system
calls every time it performed an MSI vector mask/unmask
operation. Consequently, guests running legacy systems
such as Scientific Linux 5 could, under certain
circumstances, experience significant slowdown. Now, the
routing system calls during mask/unmask operations are
skipped, and the performance of legacy guests is now
more consistent.

- Due to a bug in the Internet Small Computer System
Interface (iSCSI) driver, a qemu-kvm process terminated
unexpectedly with a segmentation fault when the 'write
same' command was executed in guest mode under the iSCSI
protocol. This update fixes the bug, and the 'write
same' command now functions in guest mode under iSCSI as
intended.

- The QEMU command interface did not properly handle
resizing of cache memory during guest migration, causing
QEMU to terminate unexpectedly with a segmentation
fault. This update fixes the related code, and QEMU no
longer crashes in the described situation.

Enhancements :

- The maximum number of supported virtual CPUs (vCPUs) in
a KVM guest has been increased to 240. This increases
the number of virtual processing units that the user can
assign to the guest, and therefore improves its
performance potential.

- Support for the 5th Generation Intel Core processors has
been added to the QEMU hypervisor, the KVM kernel code,
and the libvirt API. This allows KVM guests to use the
following instructions and features: ADCX, ADOX,
RDSFEED, PREFETCHW, and supervisor mode access
prevention (SMAP).

- The 'dump-guest-memory' command now supports crash dump
compression. This makes it possible for users who cannot
use the 'virsh dump' command to require less hard disk
space for guest crash dumps. In addition, saving a
compressed guest crash dump frequently takes less time
than saving a non-compressed one.

See also :

http://www.nessus.org/u?7bfbba91

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : pcre on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application (for example,
Konqueror) linked against PCRE to crash while parsing malicious
regular expressions. (CVE-2014-8964)

This update also adds the following enhancement :

- Support for the little-endian variant of IBM Power
Systems has been added to the pcre packages.

See also :

http://www.nessus.org/u?25e727f7

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Scientific Linux Security Update : openssh on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

It was discovered that OpenSSH clients did not correctly verify DNS
SSHFP records. A malicious server could use this flaw to force a
connecting client to skip the DNS SSHFP record check and require the
user to perform manual host verification of the DNS SSHFP record.
(CVE-2014-2653)

It was found that when OpenSSH was used in a Kerberos environment,
remote authenticated users were allowed to log in as a different user
if they were listed in the ~/.k5users file of that user, potentially
bypassing intended authentication restrictions. (CVE-2014-9278)

The openssh packages have been upgraded to upstream version 6.6.1,
which provides a number of bug fixes and enhancements over the
previous version.

Bug fixes :

- An existing /dev/log socket is needed when logging using
the syslog utility, which is not possible for all chroot
environments based on the user's home directories. As a
consequence, the sftp commands were not logged in the
chroot setup without /dev/log in the internal sftp
subsystem. With this update, openssh has been enhanced
to detect whether /dev/log exists. If /dev/log does not
exist, processes in the chroot environment use their
master processes for logging.

- The buffer size for a host name was limited to 64 bytes.
As a consequence, when a host name was 64 bytes long or
longer, the ssh-keygen utility failed. The buffer size
has been increased to fix this bug, and ssh-keygen no
longer fails in the described situation.

- Non-ASCII characters have been replaced by their octal
representations in banner messages in order to prevent
terminal re-programming attacks. Consequently, banners
containing UTF-8 strings were not correctly displayed in
a client. With this update, banner messages are
processed according to RFC 3454, control characters have
been removed, and banners containing UTF-8 strings are
now displayed correctly.

- Scientific Linux uses persistent Kerberos credential
caches, which are shared between sessions. Previously,
the GSSAPICleanupCredentials option was set to 'yes' by
default. Consequently, removing a Kerberos cache on
logout could remove unrelated credentials of other
sessions, which could make the system unusable. To fix
this bug, GSSAPICleanupCredentials is set by default to
'no'.

- Access permissions for the /etc/ssh/moduli file were set
to 0600, which was unnecessarily strict. With this
update, the permissions for /etc/ssh/moduli have been
changed to 0644 to make the access to the file easier.

- Due to the KRB5CCNAME variable being truncated, the
Kerberos ticket cache was not found after login using a
Kerberos-enabled SSH connection. The underlying source
code has been modified to fix this bug, and Kerberos
authentication works as expected in the described
situation.

Enhancements :

- When the sshd daemon is configured to force the internal
SFTP session, a connection other then SFTP is used, the
appropriate message is logged to the /var/log/secure
file.

- The sshd-keygen service was run using the
'ExecStartPre=-/usr/sbin/sshd- keygen' option in the
sshd.service unit file. With this update, the separate
sshd-keygen.service unit file has been added, and
sshd.service has been adjusted to require
sshd-keygen.service.

See also :

http://www.nessus.org/u?7cd45b81

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.