2017年6月 - 漏洞银行

CVE-2016-10376 Fedora Security Update for gajim (FEDORA-2017-3c561780c8)

漏洞类别：Fedora

漏洞等级：

漏洞信息

Fedora has released security update for gajim to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-3c561780c8: Fedora 24

FEDORA-2017-3c561780c8: Fedora 25

0daybank

CVE-2017-8366 Fedora Security Update for ettercap (FEDORA-2017-8722576148)

漏洞类别：Fedora

漏洞等级：

漏洞信息

Fedora has released security update for ettercap to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-8722576148: Fedora 24

FEDORA-2017-8722576148: Fedora 25

0daybank

CVE-2017-1000366 Oracle Enterprise Linux Security Update for glibc (ELSA-2017-1481) (Stack Clash)

漏洞类别：OEL'

漏洞等级：

漏洞信息

Oracle Enterprise Linux has released security update for glibc to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

An attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-1481: Oracle Linux 7

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-aws, Linux-meta-aws Vulnerabilities (USN-3331-1)

漏洞类别：Ubuntu

漏洞等级：

漏洞信息

It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap.

It was discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.

A reference count bug was discovered in the Linux kernel ipx protocol stack.

A double free bug was discovered in the IPv4 stack of the Linux kernel.

An IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack.

A flaw in the handling of inheritance in the Linux kernel's IPv6 stack.

It was discovered that dccp v6 in the Linux kernel mishandled inheritance.

It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance.

It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten.

漏洞危害

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364)

A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363)

A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890)

A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074)

A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076)

A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077)

A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242)

解决方案

Refer to Ubuntu advisory USN-3331-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3331-1: 16.04 (Xenial) on src (linux-image-4.4.0-1020-aws)

0daybank

CVE-2017-1000363 Ubuntu Security Notification for Linux-meta-raspi2, Linux-raspi2 Vulnerabilities (USN-3332-1)