CVE-2016-10376 Fedora Security Update for gajim (FEDORA-2017-3c561780c8)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for gajim to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-3c561780c8: Fedora 24

FEDORA-2017-3c561780c8: Fedora 25

0daybank

CVE-2017-8366 Fedora Security Update for ettercap (FEDORA-2017-8722576148)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for ettercap to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-8722576148: Fedora 24

FEDORA-2017-8722576148: Fedora 25

0daybank

CVE-2017-1000366 Oracle Enterprise Linux Security Update for glibc (ELSA-2017-1481) (Stack Clash)

漏洞类别:OEL’

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for glibc to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

An attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-1481: Oracle Linux 7

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-aws, Linux-meta-aws Vulnerabilities (USN-3331-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A reference count bug was discovered in the Linux kernel ipx protocol stack.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3331-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3331-1: 16.04 (Xenial) on src (linux-image-4.4.0-1020-aws)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-meta-raspi2, Linux-raspi2 Vulnerabilities (USN-3332-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A reference count bug was discovered in the Linux kernel ipx protocol stack.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3332-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3332-1: 16.04 (Xenial) on src (linux-image-4.4.0-1059-raspi2)

USN-3332-1: 16.04 (Xenial) on src (linux-image-raspi2)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-hwe, Linux-meta-hwe Vulnerabilities (USN-3333-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel.

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

It was discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-lts-xenial, Linux-meta-lts-xenial Vulnerabilities (USN-3334-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A reference count bug was discovered in the Linux kernel ipx protocol stack.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

0daybank

CVE-2014-9940 Ubuntu Security Notification for Linux, Linux-meta Vulnerabilities (USN-3335-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel.

It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

An integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940)

A privileged local attacker could use this to execute arbitrary code. (CVE-2017-0605)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3335-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3335-1: 14.04 (Kylin) on src (linux-image-powerpc64-emb)

USN-3335-1: 14.04 (Kylin) on src (linux-image-powerpc-e500)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lpae-lts-saucy)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-powerpc-smp)

USN-3335-1: 14.04 (Kylin) on src (linux-image-powerpc-e500mc)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-pae)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-powerpc64-emb)

USN-3335-1: 14.04 (Kylin) on src (linux-image-lowlatency)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-powerpc-e500mc)

USN-3335-1: 14.04 (Kylin) on src (linux-image-lowlatency-pae)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lpae-lts-trusty)

USN-3335-1: 14.04 (Kylin) on src (linux-image-omap)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-lowlatency)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-generic-lpae)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-generic)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lts-quantal)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lts-trusty)

USN-3335-1: 14.04 (Kylin) on src (linux-image-powerpc-smp)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lts-raring)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic)

USN-3335-1: 14.04 (Kylin) on src (linux-image-powerpc64-smp)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-powerpc64-smp)

USN-3335-1: 14.04 (Kylin) on src (linux-image-highbank)

USN-3335-1: 14.04 (Kylin) on src (linux-image-3.13.0-121-powerpc-e500)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lpae)

USN-3335-1: 14.04 (Kylin) on src (linux-image-generic-lts-saucy)

USN-3335-1: 14.04 (Kylin) on src (linux-image-virtual)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux, Linux-meta Vulnerabilities (USN-3328-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A reference count bug was discovered in the Linux kernel ipx protocol stack.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3328-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-emb)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-emb-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-lowlatency-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-smp-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-powerpc64-emb)

USN-3328-1: 16.04 (Xenial) on src (linux-image-lowlatency-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-lowlatency-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-powerpc-smp)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-smp-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-smp-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-smp-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-virtual-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-e500mc-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-powerpc64-smp)

USN-3328-1: 16.04 (Xenial) on src (linux-image-lowlatency-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lpae-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-smp-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-smp)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-smp-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-virtual-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lpae)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lpae-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-e500mc-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-e500mc-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-e500mc)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-emb-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-emb-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-smp-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-lowlatency)

USN-3328-1: 16.04 (Xenial) on src (linux-image-virtual-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc-e500mc-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-powerpc-e500mc)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lpae-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-generic-lpae)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-emb-lts-wily)

USN-3328-1: 16.04 (Xenial) on src (linux-image-virtual)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-smp-lts-utopic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-generic-lpae-lts-xenial)

USN-3328-1: 16.04 (Xenial) on src (linux-image-4.4.0-81-generic)

USN-3328-1: 16.04 (Xenial) on src (linux-image-virtual-lts-vivid)

USN-3328-1: 16.04 (Xenial) on src (linux-image-lowlatency)

USN-3328-1: 16.04 (Xenial) on src (linux-image-powerpc64-smp)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-meta-raspi2, Linux-raspi2 Vulnerabilities (USN-3327-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel.

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

It was discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3327-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3327-1: 16.10 (Yakkety) on src (linux-image-4.8.0-1040-raspi2)

USN-3327-1: 16.10 (Yakkety) on src (linux-image-raspi2)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux, Linux-meta Vulnerabilities (USN-3326-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel.

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

It was discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux, Linux-meta Vulnerabilities (USN-3324-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel’s IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel’s IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

0daybank

CVE-2017-9526 SUSE Enterprise Linux Security Update for libgcrypt (SUSE-SU-2017:1608-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for libgcrypt to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP2

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1608-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1608-1: SUSE Enterprise Linux

0daybank

CVE-2017-9462 SUSE Enterprise Linux Security Update for mercurial (SUSE-SU-2017:1606-1)

漏洞类别:SUSE’

漏洞等级:

漏洞信息

SUSE has released security update for mercurial to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP2

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1606-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1606-1: SUSE Enterprise Linux

0daybank

CVE-2017-2581 SUSE Enterprise Linux Security Update for netpbm (SUSE-SU-2017:1603-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for netpbm to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP2

漏洞危害

This vulnerability can be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1603-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1603-1: SUSE Enterprise Linux

0daybank

CVE-2014-9847 SUSE Enterprise Linux Security Update for GraphicsMagick (SUSE-SU-2017:1600-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for graphicsmagick to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1600-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1600-1: SUSE Enterprise Linux

0daybank

CVE-2014-9846 SUSE Enterprise Linux Security Update for ImageMagick (SUSE-SU-2017:1599-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for imagemagick to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1599-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1599-1: SUSE Enterprise Linux

0daybank

CVE-2017-5470 CentOS Security Update for firefox (CESA-2017:1440)

漏洞类别:CentOS

漏洞等级:

漏洞信息

CentOS has released security update for firefox to fix the vulnerabilities.

Affected Products:

centos 6
centos 7

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 6 andcentos 7 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CESA-2017:1440: centos 6

CESA-2017:1440: centos 7

0daybank

CVE-2017-7718 CentOS Security Update for qemu-kvm (CESA-2017:1430)

漏洞类别:CentOS

漏洞等级:

漏洞信息

CentOS has released security update for qemu-kvm to fix the vulnerabilities.

Affected Products:

centos 7

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CESA-2017:1430: centos 7

0daybank

CVE-2017-7484 OpenSUSE Security Update for postgresql93 (openSUSE-SU-2017:1495-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for postgresql93 to fix the vulnerabilities.

Affected Products:
openSUSE Leap 42.2

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory openSUSE-SU-2017:1495-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2017:1495-1: OpenSuse

0daybank

CVE-2016-6255 OpenSUSE Security Update for libupnp (openSUSE-SU-2017:1485-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for libupnp to fix the vulnerabilities.

Affected Products:
openSUSE Leap 42.2

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory openSUSE-SU-2017:1485-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2017:1485-1: OpenSuse

0daybank

CVE-2017-3302 OpenSUSE Security Update for mariadb (openSUSE-SU-2017:1475-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for mariadb to fix the vulnerabilities.

Affected Products:
openSUSE Leap 42.2

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory openSUSE-SU-2017:1475-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2017:1475-1: OpenSuse

0daybank

CVE-2017-1000364 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2017:1628-1) (Stack Clash)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for the linux kernel to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1628-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1628-1: SUSE Enterprise Linux

0daybank

CVE-2017-1000368 SUSE Enterprise Linux Security Update for sudo (SUSE-SU-2017:1626-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for sudo to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP2

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1626-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1626-1: SUSE Enterprise Linux

0daybank

CVE-2016-6329 SUSE Enterprise Linux Security Update for openvpn (SUSE-SU-2017:1622-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for openvpn to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP2

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:1622-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:1622-1: SUSE Enterprise Linux

0daybank