Debian Security Update for python-django (DSA 3678-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for python-django to fix the vulnerabilities.

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Refer to Debian security advisory DSA 3678-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3678-1: Debian

0day

Debian Security Update for libarchive (DSA 3677-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for libarchive to fix the vulnerabilities.

漏洞危害

The sandboxing code in libarchive mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.

解决方案

Refer to Debian security advisory DSA 3677-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3677-1: Debian

0day

Debian Security Update for unadf (DSA 3676-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for unadf to fix the vulnerabilities.

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Refer to Debian security advisory DSA 3676-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3676-1: Debian

0day

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulne…

漏洞类别:Local

漏洞等级:

漏洞信息

Cisco AnyConnect is a VPN Client for multiple platforms.

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an authenticated, local attacker to execute arbitrary code with elevated privileges.

Affected Versions:
Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier

漏洞危害

On successful exploitation allows local users to gain privileges via crafted IPC messages that trigger use of root privileges for a software-package installation

解决方案

Solution or updates are not available.

0day

EOL/Obsolete Software: HP Data Protector 6.0x Detected.

漏洞类别:Local

漏洞等级:

漏洞信息

HPE Data Protector software provides comprehensive data backup and recovery across physical, virtual and hybrid environments.

Hewlett Packard Enterprise is announcing the version discontinuance of HP Data Protector 6.0x

Affected Version :
HP Data Protector 6.0x

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

解决方案

Please visit HP Data Protector 6.0x for more information.

0day

Joomla! com_videogallerylite ajax_url.php SQL Injection Vulnerability

漏洞类别:CGI

漏洞等级:

漏洞信息

Joomla! is a free open-source content management system written in PHP. It uses object oriented programming techniques and is built on a model-view-controller web application framework. It includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Huge-IT Video Gallery is a Joomla! video gallery component.

The vulnerability exists in the components/com_videogallerylite/ajax_url.php source file that fails to sanitize user supplied input received via the load_videos_content argument. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted HTTP GET requests to inject malicious SQL code in a targeted Joomla! installation.

Affected versions:
Joomla Huge-IT Video Gallery (com_videogallerylite) component 3.3.6

漏洞危害

Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.

解决方案

The vendor has not confirmed this vulnerability.

Workaround:
Although the vendor has not confirmed this vulnerability, updated version is available, which may fix the vulnerability. Customers are advised to install the updated version.

0day

Oracle Enterprise Linux Security Update for openssl (ELSA-2016-1940)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for openssl to fix the vulnerabilities.

Affected Products:
Oracle Linux 7
Oracle Linux 6

漏洞危害

Successful exploitation allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisoryOracle Linux 7 Oracle Linux 6 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2016-1940: Oracle Linux 7

ELSA-2016-1940: Oracle Linux 6

0day

SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2016:2388-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for openssh to fix the vulnerabilities.

Affected Products:
SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1
SUSE Manager 2.1
SUSE Linux Enterprise Server 11-SP3-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP3

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory SUSE-SU-2016:2388-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2016:2388-1: SUSE Enterprise Linux

0day

SUSE Enterprise Linux Security Update for libtcnative-1-0 (SUSE-SU-2016:2385-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for libtcnative-1-0 to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4

漏洞危害

Malicious users could use this vulnerability to change partial contents or configuration on the system.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory SUSE-SU-2016:2385-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2016:2385-1: SUSE Enterprise Linux

0day

EOL/Obsolete Software: Drupal 5.x Detected

漏洞类别:CGI

漏洞等级:

漏洞信息

Drupal is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.

Drupal 5 has been detected on the host. Drupal 5 has reached end of life on January 6, 2011 and will no longer be supported for security advisories. Since there will be no further bug fixes or security updates for this version, it is recommended that you migrate from version 5 to Drupal supported releases such as 7 or Drupal 8.

漏洞危害

Depending on the vulnerability being exploited, an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the targeted system.

解决方案

Customers are advised to upgrade to Drupal 7,8 or later versions to remediate this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Latest Drupal

0day

Apple Mac OS X v10.11.5 and Security Update 2016-003 Not Installed (APPLE-SA-2016-05-16-4)

漏洞类别:Local

漏洞等级:

漏洞信息

Apple Mac OS X v10.11.5 and Security Update 2016-003 are missing on the target host.

Apple Mac OS X El Capitan 10.11.5 and Security Update 2016-003 are available to resolve multiple security vulnerabilities.

漏洞危害

Successfully exploiting these vulnerabilities might allow an attacker to execute arbitrary code. Other attacks are also possible.

解决方案

Apple Mac OS X v10.11.5 and Security Update 2016-003 has been released to address these issues. The update can be downloaded and installed via Apple Downloads.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

APPLE-SA-2016-05-16-4

0day

Red Hat Update for flash-plugin (RHSA-2016:1238)

漏洞类别:RedHat

漏洞等级:

漏洞信息

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)

漏洞危害

On successful exploitation it could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2016:1238 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2016:1238: Red Hat Enterprise Linux

0day

EOL/Obsolete Software: Atlassian JIRA 6.2.x Detected

漏洞类别:CGI

漏洞等级:

漏洞信息

JIRA is used for issue tracking and project management.

JIRA 6.1.x reached end of life on June 8, 2016 and is no longer be supported by Atlassian.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since Atlassian no longer provides updates, obsolete software is more vulnerable to attacks.

解决方案

Upgrade to the latest supported version of Atlassian JIRA. Refer to Atlassian End of Life Policy to obtain more information.

0day

EOL/Obsolete Operating System: Citrix XenServer 5.6 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

The host is running XenServer 5.6. Microsoft ended support for XenServer 5.6 on 31st March 2014 and provides no further support for this operating system.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Update to the latest supported XenServer operating system from Citrix. Refer to Citrix Legacy Product Matrix for more information.

0day

EOL/Obsolete Operating System: Citrix XenServer 5.5 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

The host is running XenServer 5.5. Microsoft ended support for XenServer 5.5 on 15th September 2013 and provides no further support for this operating system.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Update to the latest supported XenServer operating system from Citrix. Refer to Citrix Legacy Product Matrix for more information.

0day

OpenSuSE Security Update for flash-player (openSUSE-SU-2016:1625-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for flash-player to fix the vulnerabilities.

Affected Products:
openSUSE 13.1 NonFree

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory openSUSE-SU-2016:1625-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2016:1625-1: OpenSuse

0day

OpenSuSE Security Update for flash-player (openSUSE-SU-2016:1621-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for flash-player to fix the vulnerabilities.

Affected Products:
openSUSE 13.2 NonFree

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory openSUSE-SU-2016:1621-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2016:1621-1: OpenSuse

0day

CentOS Security Update for firefox (CESA-2016:1217)

漏洞类别:CentOS

漏洞等级:

漏洞信息

CentOS has released security update for firefox to fix the vulnerabilities.

Affected Products:
centos 6
centos 5
centos 7

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 6centos 5 centos 7 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CESA-2016:1217: centos 6

CESA-2016:1217: centos 5

CESA-2016:1217: centos 7

0day

Oracle Enterprise Linux Security Update for firefox (ELSA-2016-1217)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for firefox to fix the vulnerabilities.

Affected Products:
Oracle Linux 7
Oracle Linux 6
Oracle Linux 5

漏洞危害

Successful exploitation allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisoryOracle Linux 7 Oracle Linux 6 Oracle Linux 5 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2016-1217: Oracle Linux 7

ELSA-2016-1217: Oracle Linux 6

ELSA-2016-1217: Oracle Linux 5

0day

EOL/Obsolete Software: Oracle WebLogic Server 10.3 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation.

Oracle WebLogic Server 10.3.x has been detected on the host. Oracle WebLogic Server 10.3 has reached end of life on January 2014 and will no longer be supported for security advisories. Since there will be no further bug fixes or security updates for this version, it is recommended that you migrate from version 10.3 to latest supported releases.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since Oracle no longer provides updates, obsolete software is more vulnerable to attacks.

解决方案

Upgrade to the latest supported version of WebLogic Server. Refer to Oracle Lifetime Support Policy to obtain more information.

0day

Microsoft Windows Print Spooler Components Security Update (MS16-087)

漏洞类别:Windows漏洞等级:

漏洞信息

The Print Spooler service is an executable file that is installed as a service. The spooler is loaded when the operating system starts, and it continues to run until the operating system is shut down. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job and scheduling print jobs.

The security update resolves the following issues.
– A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. (CVE-2016-3238)

– An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. (CVE-2016-3239)

Affected Software:
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8.1 for 32-bit Systems
Windows 8.1 for 64-bit Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Windows 10 for 32-bit Systems
Windows 10 for 64-bit Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for 64-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

This security update is rated Critical for all supported editions.

漏洞危害

An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system.

0day

Microsoft Office Remote Code Execution Vulnerabilities (MS16-088)


漏洞类别:Office Application漏洞等级:

漏洞信息

Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory.

A vulnerability exists when Microsoft Office fails to properly handle XLA files.

Microsoft has released a security update that addresses the vulnerabilities by correcting how:
– Office handles objects in memory
– Certain functions handle objects in memory
– Windows validates input before loading libraries

漏洞危害

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

解决方案

Refer to MS16-088 for more information.

Workaround:
1) Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources

Impact of workaround #1: Users who have configured the File Block policy and have not configured a special “exempt directory” will be unable to open documents saved in the RTF format.

2) Prevent Word from loading RTF files

Patch:
Following are links for downloading patches to fix the vulnerabilities:

MS16-088: Microsoft Excel 2007 Service Pack 3

MS16-088: Microsoft Word 2007 Service Pack 3

MS16-088: Microsoft Office 2010 Service Pack 2 (32-bit editions)

MS16-088: Microsoft Office 2010 Service Pack 2 (64-bit editions)

MS16-088: Microsoft Excel 2010 Service Pack 2 (32-bit editions)

MS16-088: Microsoft Excel 2010 Service Pack 2 (64-bit editions)

MS16-088: Microsoft Outlook 2010 Service Pack 2 (32-bit editions)

MS16-088: Microsoft Outlook 2010 Service Pack 2 (64-bit editions)

MS16-088: Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions)

MS16-088: Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions)

MS16-088: Microsoft Word 2010 Service Pack 2 (32-bit editions)

MS16-088: Microsoft Word 2010 Service Pack 2 (64-bit editions)

MS16-088: Microsoft Excel 2013 Service Pack 1 (32-bit editions)

MS16-088: Microsoft Excel 2013 Service Pack 1 (64-bit editions)

MS16-088: Microsoft Outlook 2013 Service Pack 1 (32-bit editions)

MS16-088: Microsoft Outlook 2013 Service Pack 1 (64-bit editions)

MS16-088: Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)

MS16-088: Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)

MS16-088: Microsoft Word 2013 Service Pack 1 (32-bit editions)

MS16-088: Microsoft Word 2013 Service Pack 1 (64-bit editions)

MS16-088: Microsoft Excel 2016 (32-bit edition)

MS16-088: Microsoft Excel 2016 (64-bit edition)

MS16-088: Microsoft Outlook 2016 (32-bit edition)

MS16-088: Microsoft Outlook 2016 (64-bit edition)

MS16-088: Microsoft Word 2016 (32-bit edition)

MS16-088: Microsoft Word 2016 (64-bit edition)

MS16-088: Microsoft Excel for Mac 2011

MS16-088: Microsoft Word for Mac 2011

MS16-088: Microsoft Excel 2016 for Mac

MS16-088: Microsoft Word 2016 for Mac

MS16-088: Microsoft Office Compatibility Pack Service Pack 3

MS16-088: Microsoft Office Compatibility Pack Service Pack 3

MS16-088: Microsoft Excel Viewer

MS16-088: Microsoft Word Viewer

MS16-088: Microsoft Word Viewer

MS16-088: Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2

MS16-088: Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1

MS16-088: Microsoft SharePoint Server 2016

MS16-088: Microsoft Office Web Apps 2010 Service Pack 2

MS16-088: Microsoft Office Web Apps Server 2013 Service Pack 1

MS16-088: Office Online Server

MS16-088: Microsoft SharePoint Foundation 2010 Service Pack 1

MS16-088: Microsoft SharePoint Foundation 2013 Service Pack 1

MS16-088: Microsoft SharePoint Server 2016

0day

Adobe Flash Player Remote Code Execution Vulnerability (APSB16-25)

漏洞类别:Local

漏洞等级:

漏洞信息

Adobe Flash Player is a multimedia application for multiple platforms.

Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Affected Versions:
Adobe Flash Player 22.0.0.192 and earlier

漏洞危害

Successful exploitation of this vulnerability will allow an attacker to execute arbitrary code, failed exploits may result in system crash.

解决方案

A patch is available at this time. Update to version 22.0.0.209
Please refer to Adobe advisory APSA16-25

Patch:
Following are links for downloading patches to fix the vulnerabilities:

APSB16-25

0day

Red Hat Update for flash-plugin (RHSA-2016:1423)

漏洞类别:RedHat漏洞等级:

漏洞信息

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

This update upgrades Flash Player to version 11.2.202.632.

Security Fix(es):

* This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2016-4172, CVE-2016-4173, CVE-2016-4174, CVE-2016-4175, CVE-2016-4176, CVE-2016-4177, CVE-2016-4178, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4222, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4232, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246, CVE-2016-4247, CVE-2016-4248, CVE-2016-4249)

漏洞危害

On successful exploitation it could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2016:1423 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2016:1423: Red Hat Enterprise Linux

0day

Oracle MySQL July 2016 Critical Patch Update (CPUJUL2016)

漏洞类别:Database

漏洞等级:

漏洞信息

This Critical Patch Update contains 22 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication Affected Versions:-
MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior

漏洞危害

Successful exploitation could allow an attacker to affect the confidentiality, integrity and availability of data on the target system.

解决方案

Refer to vendor advisory Oracle MySQL July 2016.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Oracle Critical Patch Update Advisory – July 2016 (MYSQL)

0day