mancha |
07-02-2015 10:31 PM |
Update 20150702 UTC
- Mozilla
Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
and, when applicable, in Thunderbird 38.1.
Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.
Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
(CVE-2015-4000).
- PHP
PHP 5.4.42 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
in escapeshellarg (CVE-2015-4642); segfault in php_pgsql_meta_data (CVE-2015-4644); as well as three security
issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).
PHP 5.6.10 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
in escapeshellarg (CVE-2015-4642); several issues in bundled pcrelib (CVE-2015-2325, CVE-2015-2326); as well as
three security issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).
Recommendation: Slackware 14.1 users upgrade to PHP 5.4.42 / Slackware-current users upgrade to PHP 5.6.10.
- curl
A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can wrongly send HTTP credentials
when re-using connections. (CVE-2015-3236)
A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can get tricked by a malicious SMB
server to send off data it did not intend to. (CVE-2015-3237)
Note: one might be tempted to downplay vulnerabilities in curl but it's important to keep in mind cmake, git, gnupg,
among others, use libcurl for secure transport.
Recommendation: Slackware 14.1 ships curl 7.36.0 and is unaffected by these particular issues but is affected by
numerous others (see earlier posts). Slackware 14.1 and Slackware-current users should upgrade to curl 7.43.0 (sig).
- stunnel
A flaw was discovered in stunnel 5.00 through 5.13, inclusive, that makes those versions vulnerable to having client
certificate based authentication bypassed when the redirect option is enabled. (CVE-2015-3644)
Note: Slackware 14.1/current aren't vulnerable to this particular issue because they ship stunnel 4.53. However, that
version is vulnerable to several other issues (see earlier posts for more info).
Recommendation: Upgrade to stunnel 5.19 (sig).
--mancha
|