Hírolvasó

Linux security Advisories · 1 óra 54 perc

Ubuntu 4105-1: CUPS vulnerabilities

Several security issues were fixed in CUPS.
Ubuntu Secutity Notices · 5 óra 34 perc

USN-4105-1: CUPS vulnerabilities

cups vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in CUPS.

Software Description
  • cups - Common UNIX Printing System™
Details

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic. (CVE-2019-8696, CVE-2019-8675)

It was discovered that CUPS did not properly handle client disconnection events. A local attacker could possibly use this issue to cause a denial of service or disclose memory from the CUPS server.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
cups - 2.2.10-4ubuntu2.1
Ubuntu 18.04 LTS
cups - 2.2.7-1ubuntu2.7
Ubuntu 16.04 LTS
cups - 2.1.3-4ubuntu0.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
SANS · 6 óra 30 perc

ISC Stormcast For Tuesday, August 20th 2019 https://isc.sans.edu/podcastdetail.html?id=6628, (Tue, Aug 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NVD: all CVE · 8 óra 14 perc

CVE-2019-15237

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
NVD: all CVE · 9 óra 14 perc

CVE-2019-15228

FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
NVD: all CVE · 9 óra 14 perc

CVE-2019-15229

FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
NVD: all CVE · 9 óra 14 perc

CVE-2019-15231

Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastructure, but was not inserted into any GitHub repository.
NVD: all CVE · 9 óra 14 perc

CVE-2019-15232

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.
Ubuntu Secutity Notices · 10 óra 12 perc

USN-4104-1: Nova vulnerability

nova vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Nova could be made to expose sensitive information.

Software Description
  • nova - OpenStack Compute cloud infrastructure
Details

Donny Davis discovered that the Nova Compute service could return configuration or other information in response to a failed API request in some situations. A remote attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
nova-compute - 2:19.0.1-0ubuntu2.1
python3-nova - 2:19.0.1-0ubuntu2.1
Ubuntu 18.04 LTS
nova-compute - 2:17.0.10-0ubuntu2.1
python-nova - 2:17.0.10-0ubuntu2.1
Ubuntu 16.04 LTS
nova-compute - 2:13.1.4-0ubuntu4.5
python-nova - 2:13.1.4-0ubuntu4.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
NVD: all CVE · 10 óra 14 perc

CVE-2019-15224

The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
NVD: all CVE · 10 óra 14 perc

CVE-2019-15225

In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15223

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15211

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15212

An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15213

An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15214

An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15215

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15217

An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.
NVD: all CVE · 11 óra 14 perc

CVE-2019-15218

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.