LinuxQuestions.org - [Slackware security] vulnerabilities outstanding 20140101

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

Quote:

Originally Posted by BrZ (Post 5508489)

OpenSSL CVE-2016-0800

The just released OpenSSL 1.0.2g builds fine under -current:
https://www.openssl.org/source/openssl-1.0.2g.tar.gz
https://www.openssl.org/source/opens....2g.tar.gz.asc

Here's 1.0.1s for -stable:
https://www.openssl.org/source/openssl-1.0.1s.tar.gz
https://www.openssl.org/source/opens....1s.tar.gz.asc

samba-4.1.23 is released with two security bugs fix.

Quote:

Release Announcements
---------------------

This is a security release in order to address the following CVEs:

o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
o CVE-2016-0771 (Out-of-bounds read in internal DNS server)

=======
Details
=======

o CVE-2015-7560:
All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.

o CVE-2016-0771:
All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records,
as "allow dns updates = secure only" is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.

bind 9.10.3.P4
https://www.isc.org/downloads/file/b...version=tar-gz

BIND 9.10.3-P4 addresses the security issues described in CVE-2016-1285, CVE-2016-1286 and CVE-2016-2088

Mercurial 3.7.3 addresses three security issues:

Quote:

CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.

CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.

CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.

It's time to ditch Samba 4.1 in 14.1 and Samba 3.6 in 14.0: the details of CVE-2016-2118 are out, and they don't look good. Bold parts are relevant to Slackware.

Quote:

What can attackers gain?

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.

Man-in-the-middle (MITM) attacks:

There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.

Impact examples of intercepting administrator network traffic:
- Samba AD server - view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
- standard Samba server - modify user permissions on files or directories.
Denial-of-Service (DoS) attacks:

Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

Who is affected?

Affected versions of Samba are:

3.6.x,
4.0.x,
4.1.x,
4.2.0-4.2.9,
4.3.0-4.3.6,
4.4.0

Earlier versions have not been assessed.

How can I fix my systems?

Please apply the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+ immediately.

Patched versions are (both the interim and final security release have the patches):

4.2.10 / 4.2.11,
4.3.7 / 4.3.8,
4.4.1 / 4.4.2.

With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED (see Samba Release Planning). Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.

There is a new kernel 4.4.8.

Sorry, the news was already in another thread.

bind-9.9.9 is released with many security fixes.

Quote:

Security Fixes

* The resolver could abort with an assertion failure due to improper
DNAME handling when parsing fetch reply messages. This flaw is
disclosed in CVE-2016-1286. [RT #41753]
* Malformed control messages can trigger assertions in named and
rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
* Specific APL data could trigger an INSIST. This flaw is disclosed
in CVE-2015-8704. [RT #41396]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]

Quote:

Originally Posted by Thom1b (Post 5538135)

bind-9.9.9 is released with many security fixes.

All of these CVEs have been patched in prior BIND updates.

Mercurial 3.8.1 contains a low-priority security fix for:

Quote:

CVE-2016-3105 Mercurial: arbitrary code execution when converting Git repos

Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart.

Probably not worth the update on -current, but I thought that people here might want to know.

OpenSSL 1.0.2h (for -current) and 1.0.1t (for 14.1 and 14.0) are now out, fixing two high-severity vulnerabilities (CVE-2016-2108, CVE-2016-2107) and some low-severity ones (CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) that were warned about last week.

Apparently there is a critical problem with Imagemagick,

https://www.linuxquestions.org/quest...ty-4175578942/

Quote:

Originally Posted by cwizardone (Post 5540206)

Apparently there is a critical problem with Imagemagick,

https://www.linuxquestions.org/quest...ty-4175578942/

And here's the complete information. We quietly updated ImageMagick in -current, but it seems the fixes are incomplete.

http://seclists.org/oss-sec/2016/q2/205

I'm not sure what can be done in 14.0 and 14.1 without isolating and backporting the fixes, since the shared library versions have been bumped since then and we can't recompile everything as part of a fix. But pretty much anyone using ImageMagick to process untrusted files should apply the mitigations from the link above.