ALT-BU-2014-3149-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2015-01984
Уязвимости операционной системы Debian GNU/Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04296
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04297
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04298
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04299
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04300
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-04301
Уязвимость операционной системы SUSE Linux Enterprise, позволяющая злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-07299
Уязвимость операционной системы Red Hat Enterprise Linux, позволяющая удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-09203
Уязвимость операционной системы CentOS, позволяющая удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
BDU:2015-09790
Уязвимости операционной системы Gentoo Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
Modified: 2024-11-21
CVE-2014-4341
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7949
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7949
- FEDORA-2014-8189
- FEDORA-2014-8189
- RHSA-2015:0439
- RHSA-2015:0439
- 59102
- 59102
- 60082
- 60082
- 60448
- 60448
- GLSA-201412-53
- GLSA-201412-53
- DSA-3000
- DSA-3000
- MDVSA-2014:165
- MDVSA-2014:165
- 68909
- 68909
- 1030706
- 1030706
- mit-kerberos-cve20144341-dos(94904)
- mit-kerberos-cve20144341-dos(94904)
- https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
- https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
Modified: 2024-11-21
CVE-2014-4342
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7949
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7949
- RHSA-2015:0439
- RHSA-2015:0439
- 59102
- 59102
- 60082
- 60082
- DSA-3000
- DSA-3000
- MDVSA-2014:165
- MDVSA-2014:165
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- 68908
- 68908
- 1030706
- 1030706
- mit-kerberos-cve20144342-dos(94903)
- mit-kerberos-cve20144342-dos(94903)
- https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
- https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
Modified: 2024-11-21
CVE-2014-4343
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7969
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7969
- FEDORA-2014-8189
- FEDORA-2014-8189
- RHSA-2015:0439
- RHSA-2015:0439
- 59102
- 59102
- 60082
- 60082
- 60448
- 60448
- 61052
- 61052
- GLSA-201412-53
- GLSA-201412-53
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html
- DSA-3000
- DSA-3000
- 109390
- 109390
- 69159
- 69159
- 1030706
- 1030706
- https://bugzilla.redhat.com/show_bug.cgi?id=1121876
- https://bugzilla.redhat.com/show_bug.cgi?id=1121876
- kerberos-cve20144343-dos(95211)
- kerberos-cve20144343-dos(95211)
- https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
- https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
Modified: 2024-11-21
CVE-2014-4344
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7970
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7970
- FEDORA-2014-8189
- FEDORA-2014-8189
- RHSA-2015:0439
- RHSA-2015:0439
- 59102
- 59102
- 60082
- 60082
- 60448
- 60448
- 61051
- 61051
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15561.html
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15561.html
- DSA-3000
- DSA-3000
- MDVSA-2014:165
- MDVSA-2014:165
- 109389
- 109389
- 69160
- 69160
- 1030706
- 1030706
- https://bugzilla.redhat.com/show_bug.cgi?id=1121877
- https://bugzilla.redhat.com/show_bug.cgi?id=1121877
- kerberos-cve20144344-dos(95210)
- kerberos-cve20144344-dos(95210)
- https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
- https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
- https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
- https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
Modified: 2024-11-21
CVE-2014-4345
Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands.
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7980
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7980
- http://linux.oracle.com/errata/ELSA-2014-1255.html
- http://linux.oracle.com/errata/ELSA-2014-1255.html
- FEDORA-2014-9315
- FEDORA-2014-9315
- FEDORA-2014-9305
- FEDORA-2014-9305
- SUSE-SU-2014:1028
- SUSE-SU-2014:1028
- openSUSE-SU-2014:1043
- openSUSE-SU-2014:1043
- RHSA-2014:1255
- RHSA-2014:1255
- RHSA-2015:0439
- RHSA-2015:0439
- 59102
- 59102
- 59415
- 59415
- 59993
- 59993
- 60535
- 60535
- 60776
- 60776
- 61314
- 61314
- 61353
- 61353
- GLSA-201412-53
- GLSA-201412-53
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt
- DSA-3000
- DSA-3000
- MDVSA-2014:165
- MDVSA-2014:165
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- 109908
- 109908
- 69168
- 69168
- 1030705
- 1030705
- https://blogs.oracle.com/sunsecurity/entry/cve_2014_4345_numeric_errors
- https://blogs.oracle.com/sunsecurity/entry/cve_2014_4345_numeric_errors
- https://bugzilla.redhat.com/show_bug.cgi?id=1128157
- https://bugzilla.redhat.com/show_bug.cgi?id=1128157
- kerberos-cve20144345-bo(95212)
- kerberos-cve20144345-bo(95212)
- https://github.com/krb5/krb5/commit/dc7ed55c689d57de7f7408b34631bf06fec9dab1
- https://github.com/krb5/krb5/commit/dc7ed55c689d57de7f7408b34631bf06fec9dab1
- https://github.com/krb5/krb5/pull/181
- https://github.com/krb5/krb5/pull/181
Modified: 2024-11-21
CVE-2014-5351
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
- http://advisories.mageia.org/MGASA-2014-0477.html
- http://advisories.mageia.org/MGASA-2014-0477.html
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018
- FEDORA-2014-11940
- FEDORA-2014-11940
- FEDORA-2015-2382
- FEDORA-2015-2382
- SUSE-SU-2015:0290
- SUSE-SU-2015:0290
- openSUSE-SU-2015:0255
- openSUSE-SU-2015:0255
- GLSA-201412-53
- GLSA-201412-53
- MDVSA-2014:224
- MDVSA-2014:224
- 70380
- 70380
- 1031003
- 1031003
- USN-2498-1
- USN-2498-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1145425
- https://bugzilla.redhat.com/show_bug.cgi?id=1145425
- kerberos-cve20145351-sec-bypass(97028)
- kerberos-cve20145351-sec-bypass(97028)
- https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca
- https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca
- [debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update
- [debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update
Modified: 2024-11-21
CVE-2014-5354
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.
Package phpMyAdmin updated to version 4.2.13.1-alt1 for branch sisyphus in task 136046.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2014-9218
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.
- DSA-3382
- DSA-3382
- MDVSA-2014:243
- MDVSA-2014:243
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
- 71434
- 71434
- phpmyadmin-cve20149218-dos(99140)
- phpmyadmin-cve20149218-dos(99140)
- https://github.com/phpmyadmin/phpmyadmin/commit/095729d81205f15f40d216d25917017da4c2fff8
- https://github.com/phpmyadmin/phpmyadmin/commit/095729d81205f15f40d216d25917017da4c2fff8
- https://github.com/phpmyadmin/phpmyadmin/commit/1ac863c7573d12012374d5d41e5c7dc5505ea6e1
- https://github.com/phpmyadmin/phpmyadmin/commit/1ac863c7573d12012374d5d41e5c7dc5505ea6e1
- https://github.com/phpmyadmin/phpmyadmin/commit/62b2c918d26cc78d1763945e3d44d1a63294a819
- https://github.com/phpmyadmin/phpmyadmin/commit/62b2c918d26cc78d1763945e3d44d1a63294a819
Modified: 2024-11-21
CVE-2014-9219
Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
- MDVSA-2014:243
- MDVSA-2014:243
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php
- phpmyadmin-cve20149219-xss(99137)
- phpmyadmin-cve20149219-xss(99137)
- https://github.com/phpmyadmin/phpmyadmin/commit/9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2
- https://github.com/phpmyadmin/phpmyadmin/commit/9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2