TechGenix patch roundup: January non-Microsoft patches

The brand new roaring ’20s are upon us, and consultants predict that the approaching decade will see an evolution in the tactics and techniques of cybercriminals that’s positive to current new challenges to IT admin and safety personnel. Ransomware, already a serious downside, is predicted to proceed rising to disaster ranges with “malware as a service” making attackers’ nefarious duties simpler than ever. Managed service suppliers (MSPs) are pegged as a favourite goal of cyberattackers. CISO Magazine reports that “deepfake technology” is bound to enhance, ransomware assaults will seemingly change into extra focused and morph into two-stage extortion campaigns, and API-enabled apps will likely be acknowledged because the weak link that permits attackers to entry delicate information. As if these warnings on the digital entrance weren’t sufficient, the primary month of this new yr turned the world’s focus to a risk of a distinct form: the brand new coronavirus that has unfold from China to nations all through the world. Some cybercriminals saw the epidemic as an opportunity to make use of worry of the organic virus to steer folks to open malware-laden e-mail attachments that distribute the Emotet Trojan. Will probably be extra essential than ever this yr to stay vigilant, and meaning making use of safety patches as shortly as attainable after launch. Software program distributors have stayed busy producing updates to guard in opposition to the safety holes of their merchandise. Let’s check out among the patches issued in January for non-Microsoft merchandise.

Apple

January non-Microsoft patches

Shutterstock

Apple launched eight product patches in December, however they did that two higher in January, with a complete of 10 updates launched. The primary, launched Jan. 8 for iCloud for Home windows, didn’t deal with any printed CVEs. The remaining had been all launched finish the top of the month, on Jan. 28 and 29, and embody the next:

  • iTunes 12.10.4 for Home windows 7 and later. This replace addresses eight vulnerabilities within the ImageIO, libxml2, Cell Machine Service, WebKit, and WebKit Web page Loading parts. The vulnerabilities embody a number of reminiscence corruption points that would result in arbitrary code execution, a denial of service subject, a buffer overflow vulnerability, an out-of-bounds learn subject, and an issue with permissions logic that would enable entry to protected components of the file system.
  • tvOS 13.3.1 for Apple TV 4K and Apple TV HD. This replace addresses most of the identical vulnerabilities patched in iTunes, plus an arbitrary code execution subject in wifivelocityd, 5 kernel vulnerabilities that embody arbitrary code execution and studying of restricted reminiscence. Additionally patched are vulnerabilities in Audio, IOAcceleratorFamily, and IPSec.
  • Safari 13.Zero.5 operating on macOS Mojave and macOS Excessive Sierra, and included in macOS Catalina. This replace for Apple’s internet browser addresses seven vulnerabilities, most of them in WebKit, and so they embody arbitrary code execution, cross-site scripting, deal with bar spoofing, and sending of unencrypted passwords throughout the community.
  • iOS 12.4.5 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod contact sixth era. This replace has no printed CVE entries.
  • iOS 13.3.1 and iPadOS 13.3.1 for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod contact seventh era. This replace addresses a complete of thirty vulnerabilities, together with a few of these described above in addition to points with the Screenshots, Telephone, Safari Login AutoFill, FaceTime, Messages, and Mail parts. Probably the most severe of those are arbitrary code execution points.
  • iCloud for Home windows 7.17 for Home windows 7 and later. This replace addresses seven updates, all of which have been described above, within the ImageIO, libxml2, WebKit, and WebKit Web page Loading parts. Arbitrary code execution points are probably the most severe.
  • watchOS 6.1.2 for Apple Watch Collection 1 and later. This replace addresses most of the identical vulnerabilities described above, in addition to an arbitrary code execution/surprising software termination subject in AnnotationKit.
  • macOS Catalina 10.15.3, Safety Replace 2020-Zero01 Mojave, Safety Replace 2020-Zero01 Excessive Sierra for macOS Excessive Sierra 10.13.6, macOS Mojave 10.14.6, and macOS Catalina 10.15.2. This replace addresses thirty-two vulnerabilities; along with many described above, these embody a number of points in apache_mod_php, a gatekeeper bypass subject in autofs, arbitrary code execution vulnerabilities and an out-of-bounds learn subject in CoreBluetooth, a validation subject in Crash Reporter, and extra.
  • iCloud for Home windows 10.9.2 for Home windows 10 and later by way of the Microsoft Retailer. This replace addresses seven vulnerabilities in ImageIO, libxml2, WebKit, and WebKit Web page Loading, all of that are described above.

For extra details about present and previous patches and the vulnerabilities that they deal with, see the Apple Support website.

Adobe

Adobe launched three replace advisories this month, one fewer than in December. Two had been launched on their customary Patch Tuesday, Jan. 14. These embody:

  • APSB20-03 Safety replace for Adobe Illustrator CC operating on Home windows. This replace addresses 5 important reminiscence corruption vulnerabilities that can lead to arbitrary code execution. It has a precedence score of 3.
  • APSB20-01 Safety replace for Adobe Expertise Supervisor variations 6.Zero by way of 6.5 operating on all platforms. This replace addresses 4 vulnerabilities, three of that are designated essential and one average. They embody two cross-site scripting points, a consumer interface injection subject, and an expression language injection subject. All may result in delicate info disclosure. Precedence score is 2.

On Jan. 28, Adobe launched an out-of-band replace for its cloud commerce service, together with the open-source version:

  • APSB20-02 Safety replace for Magento. This replace addresses six vulnerabilities, three of that are designated important and three essential. These embody two saved cross-site scripting points, deserialization of untrusted information, path traversal, safety bypass, and a SQL injection subject. These can result in delicate info disclosure and arbitrary code execution, and the replace has a precedence score of 2.

For extra info, see the security bulletin summary.

Google

January non-Microsoft patches

On Jan. 16, Google launched the most recent secure channel model of the Chrome desktop internet browser for Home windows, Mac, and Linux. It consists of eleven safety fixes, together with the next:

  • Important CVE-2020-6378: Use-after-free in speech recognizer. Reported by Antti Levomäki and Christian Jalio from Forcepoint on 2019-10-28
  • Excessive CVE-2020-6379: Use-after-free in speech recognizer. Reported by Guang Gong of Alpha Workforce, Qihoo 360 on 2019-12-12
  • Excessive CVE-2020-6380: Extension message verification error. Reported by Sergei Glazunov of Google Mission Zero on 2019-12-09
  • Excessive CVE-2020-0601: Protections to mitigate Home windows ECC certificates validation vulnerability CVE-2020-0601.

For extra info, head over to Google’s blog.

Android

The month-to-month Android safety bulletin was printed on Jan. 6. Probably the most extreme subject addressed by these patches is a important safety vulnerability in Media framework that would allow a distant attacker utilizing a specifically crafted file to execute arbitrary code throughout the context of a privileged course of. Vulnerabilities up to date embody CVEs in Framework, Media Framework, System, the kernel, and Qualcomm parts. Along with the one important subject in Media Framework, there’s a important distant code execution vulnerability within the kernel parts and a number of excessive severity points together with elevation of privilege and denial of service.

For extra details about the vulnerabilities which might be addressed by the Android updates, click here.

Oracle

Oracle usually releases safety updates on a quarterly cycle, in January, April, July, and October. The latest important patch replace occurred on Jan. 14. It accommodates 334 new safety patches throughout the Oracle product households. Oracle clients can learn extra concerning the present patch launch on the Oracle web site.

Mozilla

On Jan. 7, Mozilla launched Firefox 72 with patches for the next vulnerabilities:

  • CVE-2019-17015: Reminiscence corruption in guardian course of throughout new content material course of initialization on Home windows (Excessive severity). In the course of the initialization of a brand new content material course of, a pointer offset will be manipulated resulting in reminiscence corruption and a doubtlessly exploitable crash within the guardian course of. This subject solely happens on Home windows. Different working methods are unaffected.
  • CVE-2019-17016: Bypass of @namespace CSS sanitization throughout pasting (Excessive severity). When pasting a <type> tag from the clipboard right into a wealthy textual content editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This might enable for injection into sure kinds of web sites leading to information exfiltration.
  • CVE-2019-17017: Kind Confusion in XPCVariant.cpp (Excessive severity). Because of a lacking case dealing with object sorts, a sort confusion vulnerability may happen, leading to a crash. We presume that with sufficient effort that it might be exploited to run arbitrary code.
  • CVE-2019-17024: Reminiscence security bugs mounted in Firefox 72 and Firefox ESR 68.4 (Excessive severity). Mozilla builders Jason Kratzer, Christian Holler, and Bob Clary reported reminiscence security bugs current in Firefox 71 and Firefox ESR 68.3. A few of these bugs confirmed proof of reminiscence corruption and we presume that with sufficient effort a few of these may have been exploited to run arbitrary code.
  • CVE-2019-17025: Reminiscence security bugs mounted in Firefox 72 (Excessive severity). Mozilla builders Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler reported reminiscence security bugs current in Firefox 71. A few of these bugs confirmed proof of reminiscence corruption and we presume that with sufficient effort a few of these may have been exploited to run arbitrary code.
  • CVE-2019-17018: Home windows Keyboard in Non-public Searching Mode might retain phrase ideas (Reasonable severity). When in Non-public Searching Mode on Home windows 10, the Home windows keyboard might retain phrase ideas to enhance the accuracy of the keyboard.
  • CVE-2019-17019: Python information might be inadvertently executed upon opening a download (Reasonable severity). When Python was put in on Home windows, a python file being served with the MIME kind of textual content/plain might be executed by Python as a substitute of being opened as a textual content file when the Open choice was chosen upon download. This subject solely happens on Home windows. Different working methods are unaffected.
  • CVE-2019-17020: Content material Safety Coverage not utilized to XSL stylesheets utilized to XML paperwork (Reasonable severity). If an XML file is served with a Content material Safety Coverage and the XML file consists of an XSL stylesheet, the Content material Safety Coverage won’t be utilized to the contents of the XSL stylesheet. If the XSL sheet e.g. consists of JavaScript, it might bypass any of the restrictions of the Content material Safety Coverage utilized to the XML doc.
  • CVE-2019-17021: Heap deal with disclosure in guardian course of throughout content material course of initialization on Home windows (Reasonable severity). In the course of the initialization of a brand new content material course of, a race situation happens that may enable a content material course of to reveal heap addresses from the guardian course of. This subject solely happens on Home windows. Different working methods are unaffected.
  • CVE-2019-17022: CSS sanitization doesn’t escape HTML tags (Reasonable severity). When pasting a <type> tag from the clipboard right into a wealthy textual content editor, the CSS sanitizer doesn’t escape < and > characters. As a result of the ensuing string is pasted straight into the textual content node of the aspect this doesn’t end in a direct injection into the webpage; nevertheless, if a webpage subsequently copies the node’s innerHTML, assigning it to a different innerHTML, this may end in an XSS vulnerability. Two WYSIWYG editors had been recognized with this conduct, extra might exist.
  • CVE-2019-17023: NSS might negotiate TLS 1.2 or beneath after a TLS 1.3 HelloRetryRequest had been despatched (Low severity). After a HelloRetryRequest has been despatched, the consumer might negotiate a decrease protocol that TLS 1.3, leading to an invalid state transition within the TLS State Machine. If the consumer will get into this state, incoming Utility Knowledge information will likely be ignored.

For extra details about these and different vulnerabilities patched by Mozilla, click here.

Linux

January non-Microsoft patches

Fashionable Linux distros, as standard, have seen a lot of safety advisories and updates this month. As of October 31, Ubuntu has issued the next fifty-five safety advisories since final month’s roundup. A few of these advisories deal with numerous vulnerabilities in a single advisory. In some circumstances, there are a number of advisories for a similar vulnerabilities. Different business Linux distributors issued the same variety of updates.

  • USN-4234-2: Firefox regressions. USN-4234-1 mounted vulnerabilities in Firefox. The replace launched numerous minor regressions. This replace fixes the issues. We apologize for the inconvenience. Unique advisory particulars: A number of safety points had been found in Firefox. If a consumer had been tricked into opening a specifically crafted web site, an attacker may doubtlessly…
  • USN-4262-1: OpenStack Keystone vulnerability. Daniel Preussker found that OpenStack Keystone incorrectly dealt with the listing credentials API. A consumer with a task on the challenge may use this subject to view some other consumer’s credentials.
  • USN-4261-1: WebKitGTK+ vulnerabilities. Numerous safety points had been found within the WebKitGTK+ Net and JavaScript engines. If a consumer had been tricked into viewing a malicious web site, a distant attacker may exploit a wide range of points associated to internet browser safety, together with cross-site scripting assaults, denial of service assaults, and arbitrary code execution.
  • USN-4259-1: Apache Solr vulnerability. Michael Stepankin and Olga Barinova found that Apache Solr was weak to an XXE assault. An attacker may use this vulnerability to remotely execute code.
  • USN-4254-2: Linux kernel (Xenial HWE) vulnerabilities. USN-4254-1 mounted vulnerabilities within the Linux kernel for Ubuntu 16.04 LTS. This replace offers the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics.
  • USN-4258-1: Linux kernel vulnerabilities. It was found that the Atheros 802.11ac wi-fi USB machine driver within the Linux kernel didn’t correctly validate machine metadata. A bodily proximate attacker may use this to trigger a denial of service (system crash). (CVE-2019-15099) It was found race situation existed within the Digital Video Check Driver within the Linux kernel.
  • USN-4253-2: Linux kernel (HWE) vulnerability. USN-4253-1 mounted vulnerabilities within the Linux kernel for Ubuntu 19.10. This replace offers the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.10 for Ubuntu 18.04 LTS. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics processors.
  • USN-4255-2: Linux kernel (HWE) vulnerabilities. USN-4255-1 mounted vulnerabilities within the Linux kernel for Ubuntu 18.04 LTS. This replace offers the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics.
  • USN-4257-1: OpenJDK vulnerabilities. It was found that OpenJDK incorrectly dealt with exceptions throughout deserialization in BeanContextSupport. An attacker may use this subject to trigger a denial of service or different unspecified influence. (CVE-2020-2583) It was found that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI.
  • USN-4236-3: Libgcrypt vulnerability. USN-4236-1 mounted a vulnerability in Libgcrypt. This replace offers the corresponding replace for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Unique advisory particulars: It was found that Libgcrypt was vulnerable to a ECDSA timing assault. An attacker may use this assault to get well delicate info.
  • USN-4256-1: Cyrus SASL vulnerability. It was found that Cyrus SASL incorrectly dealt with sure LDAP packets. An attacker may use this subject to execute arbitrary code or trigger a denial of service.
  • USN-4255-1: Linux kernel vulnerabilities. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics processors. An area attacker may use this to reveal delicate info. (CVE-2019-14615) It was found race situation can result in a use-after-free whereas destroying GEM contexts within the i915 driver.
  • USN-4254-1: Linux kernel vulnerabilities. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics processors. An area attacker may use this to reveal delicate info. (CVE-2019-14615) It was found race situation existed within the Digital Video Check Driver within the Linux kernel.
  • USN-4253-1: Linux kernel vulnerability. It was found that the Linux kernel didn’t correctly clear information buildings on context switches for sure Intel graphics processors. An area attacker may use this to reveal delicate info.
  • USN-4252-2: tcpdump vulnerabilities. USN-4252-1 mounted a number of vulnerabilities in tcpdump. This replace offers the corresponding replace for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Unique advisory particulars: A number of safety points had been found in tcpdump. A distant attacker may use these points to trigger tcpdump to crash, leading to a denial of service, or probably execute arbitrary code.
  • USN-4252-1: tcpdump vulnerabilities. A number of safety points had been found in tcpdump. A distant attacker may use these points to trigger tcpdump to crash, leading to a denial of service, or probably execute arbitrary code.
  • USN-4251-1: Tomcat vulnerabilities. It was found that Tomcat incorrectly dealt with the RMI registry when configured with the JMX Distant Lifecycle Listener. An area attacker may use this subject to acquire credentials and acquire full management over the Tomcat occasion. (CVE-2019-12418) It was found that Tomcat incorrectly dealt with FORM authentication.
  • USN-4250-1: MySQL vulnerabilities. A number of safety points had been found in MySQL and this replace consists of new upstream MySQL variations to repair these points. MySQL has been up to date to 8.Zero.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been up to date to MySQL 5.7.29.
  • USN-4230-2: ClamAV vulnerability. USN-4230-1 mounted a vulnerability in ClamAV. This replace offers the corresponding replace for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Unique advisory particulars: It was found that ClamAV incorrectly dealt with sure MIME messages. A distant attacker may use this subject to trigger ClamAV to crash, leading to a denial of service.
  • USN-4233-2: GnuTLS replace. USN-4233-1 disabled SHA1 getting used for digital signature operations in GnuTLS. In sure community environments, certificates utilizing SHA1 should still be in use. This replace provides the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 precedence strings that can be utilized to briefly re-enable SHA1.
  • USN-4247-3: python-apt vulnerabilities. USN-4247-1 mounted a number of vulnerabilities in python-apt. This replace offers the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Unique advisory particulars: It was found that python-apt would nonetheless use MD5 hashes to validate sure downloaded packages.
  • USN-4249-1: e2fsprogs vulnerability. It was found that e2fsprogs incorrectly dealt with sure ext4 partitions. An attacker may use this subject to execute arbitrary code.
  • USN-4247-2: python-apt regression. USN-4247-1 mounted vulnerabilities in python-apt. The up to date packages triggered a regression when trying to improve to a brand new Ubuntu launch. This replace fixes the issue.
  • USN-4246-1: zlib vulnerabilities. It was found that zlib incorrectly dealt with pointer arithmetic. An attacker may use this subject to trigger zlib to crash, leading to a denial of service, or probably execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was found that zlib incorrectly dealt with vectors involving left shifts of detrimental integers.
  • USN-4248-1: GraphicsMagick vulnerabilities. It was found that GraphicsMagick incorrectly dealt with sure picture information. An attacker may use this subject to trigger a denial of service or different unspecified influence.
  • USN-4247-1: python-apt vulnerabilities. It was found that python-apt would nonetheless use MD5 hashes to validate sure downloaded packages. If a distant attacker had been in a position to carry out a man-in-the-middle assault, this flaw may doubtlessly be used to put in altered packages.
  • USN-4245-1: PySAML2 vulnerability. It was found that PySAML2 incorrectly dealt with sure SAML information. An attacker may use this subject to bypass signature verification with arbitrary information.
  • USN-4244-1: Samba vulnerabilities. It was found that Samba didn’t routinely replicate ACLs set to inherit down a subtree on AD Listing, opposite to expectations. This subject was solely addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10.
  • USN-4243-1: libbsd vulnerabilities. It was found that libbsd incorrectly dealt with sure inputs. An attacker may use this subject to execute arbitrary code. This subject solely affected Ubuntu 14.04 ESM.
  • USN-4242-1: Sysstat vulnerabilities. It was found that Sysstat incorrectly dealt with sure inputs. An attacker may use this subject to trigger a crash or execute arbitrary code. This subject solely affected Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-16167) It was found that Sysstat incorrectly dealt with sure inputs. An attacker may use this subject to execute arbitrary code.
  • USN-4225-2: Linux kernel (HWE) vulnerabilities. USN-4225-1 mounted vulnerabilities within the Linux kernel for Ubuntu 19.10. This replace offers the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.10 for Ubuntu 18.04 LTS. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel.
  • USN-4241-1: Thunderbird vulnerabilities. A number of safety points had been found in Thunderbird. If a consumer had been tricked into opening a specifically crafted web site in a shopping context, an attacker may doubtlessly exploit these to trigger a denial of service, conduct cross-site scripting (XSS) assaults, or execute arbitrary code.
  • USN-4240-1: Kamailio vulnerability. It was found that Kamailio will be exploited through the use of a specifically crafted message that may trigger a buffer overflow subject.
  • USN-4235-2: nginx vulnerability. USN-4235-1 mounted a vulnerability in nginx. This replace offers the corresponding replace for Ubuntu 14.04 ESM. Unique advisory particulars: Bert JW Regeer and Francisco Oca Gonzalez found that nginx incorrectly dealt with sure error_page configurations. A distant attacker may use this subject to carry out HTTP request smuggling.
  • USN-4221-2: libpcap vulnerability. USN-4221-1 mounted a vulnerability in libpcap. This replace offers the corresponding replace for Ubuntu 12.04 ESM. Unique advisory particulars: It was found that libpcap didn’t correctly validate PHB headers in some conditions. An attacker may use this to trigger a denial of service (reminiscence exhaustion).
  • USN-4239-1: PHP vulnerabilities. It was found that PHP incorrectly dealt with sure information. An attacker may use this subject to trigger a denial of service. This subject solely affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was found that PHP incorrectly dealt with sure inputs.
  • USN-4237-2: SpamAssassin vulnerabilities. USN-4237-1 mounted a number of vulnerabilities in SpamAssassin. This replace offers the corresponding replace for Ubuntu 12.04 ESM and 14.04 ESM. Unique advisory particulars: It was found that SpamAssassin incorrectly dealt with sure CF information.
  • USN-4238-1: SDL_image vulnerabilities. It was found that SDL_image incorrectly dealt with sure picture information. An attacker may use this subject to trigger a denial of service or different unspecified influence.
  • USN-4236-2: Libgcrypt vulnerability. USN-4236-1 mounted a vulnerability in Libgcrypt. This replace offers the corresponding repair for Ubuntu 16.04 LTS. Unique advisory particulars: It was found that Libgcrypt was vulnerable to a ECDSA timing assault. An attacker may use this assault to get well delicate info.
  • USN-4237-1: SpamAssassin vulnerabilities. It was found that SpamAssassin incorrectly dealt with sure CF information. If a consumer or automated system had been tricked into utilizing a specially-crafted CF file, a distant attacker may run arbitrary code. (CVE-2018-11805) It was found that SpamAssassin incorrectly dealt with sure messages.
  • USN-4236-1: Libgcrypt vulnerability. It was found that Libgcrypt was vulnerable to a ECDSA timing assault. An attacker may use this assault to get well delicate info.
  • USN-4235-1: nginx vulnerability. Bert JW Regeer and Francisco Oca Gonzalez found that nginx incorrectly dealt with sure error_page configurations. A distant attacker may use this subject to carry out HTTP request smuggling assaults and entry sources opposite to expectations.
  • USN-4047-2: libvirt replace vulnerability. USN-4047-1 mounted a vulnerability in libvirt. This replace offers the corresponding replace for Ubuntu 14.04 ESM. Unique advisory particulars: Matthias Gerstner and Ján Tomko found that libvirt incorrectly dealt with sure API calls. An attacker may use this subject to examine for arbitrary information or execute arbitrary binaries.
  • USN-4234-1: Firefox vulnerabilities. A number of safety points had been found in Firefox. If a consumer had been tricked into opening a specifically crafted web site, an attacker may doubtlessly exploit these to trigger a denial of service, acquire delicate info, bypass Content material Safety Coverage (CSP) restrictions, conduct cross-site scripting (XSS) assaults, or execute arbitrary code.
  • USN-4229-1: NTP vulnerability. It was found that ntpq and ntpdc incorrectly dealt with some arguments. An attacker may use this subject to trigger ntpq or ntpdc to crash, execute arbitrary code, or escalate to increased privileges.
  • USN-4233-1: GnuTLS replace. As a safety enchancment, this replace marks SHA1 as being untrusted for digital signature operations.
  • USN-4231-1: NSS vulnerability. It was found that NSS incorrectly dealt with sure inputs. An attacker may use this subject to execute arbitrary code.
  • USN-4232-1: GraphicsMagick vulnerabilities. It was found that GraphicsMagick incorrectly dealt with sure picture information. An attacker may use this subject to trigger a denial of service or different unspecified influence.
  • USN-4230-1: ClamAV vulnerability. It was found that ClamAV incorrectly dealt with sure MIME messages. A distant attacker may use this subject to trigger ClamAV to crash, leading to a denial of service.
  • USN-4227-2: Linux kernel (Azure) vulnerabilities. USN-4227-1 mounted vulnerabilities within the Linux kernel for Ubuntu 18.04 LTS. This replace offers the corresponding updates for the Linux kernel for Microsoft Azure Cloud methods for Ubuntu 14.04 ESM. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel.
  • USN-4228-2: Linux kernel (Xenial HWE) vulnerabilities. USN-4228-1 mounted vulnerabilities within the Linux kernel for Ubuntu 16.04 LTS. This replace offers the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel.
  • USN-4228-1: Linux kernel vulnerabilities. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel. A bodily proximate attacker may use this to trigger a denial of service (system crash) or probably execute arbitrary code.
  • USN-4227-1: Linux kernel vulnerabilities. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel. A bodily proximate attacker may use this to trigger a denial of service (system crash) or probably execute arbitrary code.
  • USN-4226-1: Linux kernel vulnerabilities. Michael Hanselmann found that the CIFS implementation within the Linux kernel didn’t sanitize paths returned by an SMB server. An attacker controlling an SMB server may use this to overwrite arbitrary information.
  • USN-4225-1: Linux kernel vulnerabilities. It was found heap-based buffer overflow existed within the Marvell WiFi-Ex Driver for the Linux kernel. A bodily proximate attacker may use this to trigger a denial of service (system crash) or probably execute arbitrary code.

Featured picture: Shutterstock / TechGenix photograph illustration


Publish Views:
154






Learn Subsequent


About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *