LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Monday, November 24th, 2014

    Time Event
    2:39p
    Kernel prepatch 3.18-rc6
    The 3.18-rc6 prepatch is out, right on
    schedule. Linus says: "Steady progress towards final release,
    although we still have a big unknown worry in a regression that Dave Jones
    reported and that we haven't solved yet. In the process of chasing that one
    down, there's been a fair amount of looking at various low-level details,
    and that found some dubious issues, but no smoking gun yet.    "
    5:48p
    Security advisories for Monday

    Fedora has updated clamav (F20: denial of service), facter (F20: privilege escalation), libreoffice (F20: code execution), libvirt (F20: multiple vulnerabilities), libxml2 (F19: denial of service), owncloud (F19: security restriction bypass), php-sabredav-Sabre_CalDAV (F19: security restriction bypass), php-sabredav-Sabre_CardDAV (F19: security restriction bypass), php-sabredav-Sabre_DAV (F19: security restriction bypass), php-sabredav-Sabre_DAVACL (F19: security restriction bypass), php-sabredav-Sabre_HTTP (F19: security restriction bypass), php-sabredav-Sabre_VObject (F19: security restriction bypass), polarssl (F20; F19: two vulnerabilities), python (F19: script execution), python-pillow (F20; F19: multiple vulnerabilities), and wget (F20: symlink attack).

    Gentoo has updated aircrack-ng (multiple vulnerabilities), ansible (code execution), asterisk (multiple vulnerabilities), and openswan (denial of service).

    Mageia has updated imagemagick (multiple vulnerabilities), moodle (multiple vulnerabilities), and polarssl (two vulnerabilities).

    Mandriva has updated krb5 (ticket forgery), libvirt (information disclosure), php-smarty (two vulnerabilities), qemu (multiple vulnerabilities), srtp (denial of service), and wireshark (multiple vulnerabilities).

    openSUSE has updated openssl (TLS handshake problem).

    SUSE has updated firefox (SLES11 SP2: multiple vulnerabilities).

    9:44p
    Four-year-old comment security bug affects 86 percent of WordPress sites (Ars Technica)
    Ars Technica reports
    on a recently discovered bug in WordPress 3 sites that could be used to
    launch malicious script-based attacks on site visitors’ browsers.
    "The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows
    an attacker to craft a comment on a blog post that includes malicious
    JavaScript code. On sites that allow comments without authentication—the
    default setting for WordPress—this could allow anyone to post malicious
    scripts within comments that could target site visitors or
    administrators. A proof of concept attack developed by Klikki Oy was able
    to hijack a WordPress site administrator’s session and create a new
    WordPress administrative account with a known password, change the current
    administrative password, and launch malicious PHP code on the server. That
    means an attacker could essentially lock the existing site administrator
    out and hijack the WordPress installation for malicious purposes.    "
    WordPress 4.0 is not vulnerable to the attack.

    << Previous Day 2014/11/24
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org