SB16-123: Vulnerability Summary for the Week of April 25, 2016

Title: SB16-123: Vulnerability Summary for the Week of April 25, 2016

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

05/02/2016 09:01 AM EDT

Original release date: May 02, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
adobe -- air	Use-after-free vulnerability in the TextField object implementation in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via crafted text property, a different vulnerability than CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8452, CVE-2015-8454, CVE-2015-8653, CVE-2015-8655, CVE-2015-8821, and CVE-2015-8822.	2016年04月22日	9.3	CVE-2015-8823 CONFIRM MISC

Medium Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
adobe -- analytics_appmeasurement_for_flash_library	Cross-site scripting (XSS) vulnerability in Adobe Analytics AppMeasurement for Flash Library before 4.0.1, when debugTracking is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.	2016年04月22日	4.3	CVE-2016-1036 CONFIRM
allround_automations -- pl/sql_developer	Allround Automations PL/SQL Developer 11 before 11.0.6 relies on unverified HTTP data for updates, which allows man-in-the-middle attackers to execute arbitrary code by modifying fields in the client-server data stream.	2016年04月25日	6.8	CVE-2016-2346 CERT-VN MISC
blackberry -- enterprise_server	Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918.	2016年04月22日	4.3	CVE-2016-1917 CONFIRM
blackberry -- enterprise_server	Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917.	2016年04月22日	4.3	CVE-2016-1918 CONFIRM
blackberry -- enterprise_server	Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.	2016年04月22日	4.3	CVE-2016-3126 CONFIRM
foxitsoftware -- phantompdf	Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted FlateDecode stream in a PDF document.	2016年04月22日	6.8	CVE-2016-4059 CONFIRM MISC
foxitsoftware -- phantompdf	Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors.	2016年04月22日	5.0	CVE-2016-4060 CONFIRM
foxitsoftware -- phantompdf	Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream.	2016年04月22日	5.0	CVE-2016-4061 CONFIRM
foxitsoftware -- phantompdf	Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report format errors recursively, which allows remote attackers to cause a denial of service (application hang) via a crafted PDF.	2016年04月22日	4.3	CVE-2016-4062 CONFIRM
foxitsoftware -- phantompdf	Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via an object with a revision number of -1 in a PDF document.	2016年04月22日	6.8	CVE-2016-4063 CONFIRM MISC MISC
foxitsoftware -- phantompdf	Use-after-free vulnerability in the XFA forms handling functionality in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted remerge call.	2016年04月22日	6.8	CVE-2016-4064 CONFIRM MISC
foxitsoftware -- phantompdf	The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 7.3.4 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted (1) JPEG, (2) GIF, or (3) BMP image.	2016年04月22日	6.8	CVE-2016-4065 CONFIRM MISC MISC MISC
linux -- linux_kernel	Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times.	2016年04月27日	4.9	CVE-2015-1339 CONFIRM MLIST CONFIRM CONFIRM CONFIRM CONFIRM
linux -- linux_kernel	The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints.	2016年04月27日	4.9	CVE-2015-7515 CONFIRM CONFIRM CONFIRM CONFIRM
linux -- linux_kernel	Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.	2016年04月27日	4.9	CVE-2016-2384 CONFIRM CONFIRM CONFIRM MLIST
linux -- linux_kernel	Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.	2016年04月27日	4.7	CVE-2016-2544 CONFIRM CONFIRM CONFIRM MLIST CONFIRM
linux -- linux_kernel	The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.	2016年04月27日	4.7	CVE-2016-2545 CONFIRM MLIST CONFIRM CONFIRM CONFIRM
linux -- linux_kernel	sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.	2016年04月27日	4.7	CVE-2016-2546 CONFIRM MLIST CONFIRM CONFIRM CONFIRM
linux -- linux_kernel	sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.	2016年04月27日	4.7	CVE-2016-2547 CONFIRM MLIST CONFIRM CONFIRM CONFIRM
linux -- linux_kernel	fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes.	2016年04月27日	4.9	CVE-2016-2847 MLIST CONFIRM CONFIRM CONFIRM
novell -- service_desk	Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL.	2016年04月22日	6.5	CVE-2016-1593 CONFIRM MISC MISC
novell -- service_desk	Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action.	2016年04月22日	4.0	CVE-2016-1594 CONFIRM MISC MISC
novell -- service_desk	LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter.	2016年04月22日	4.0	CVE-2016-1595 CONFIRM MISC MISC
qemu -- qemu	Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.	2016年04月26日	6.8	CVE-2016-4002 MLIST CONFIRM MLIST MLIST
samba -- samba	Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption), or possibly execute arbitrary code on a client system via unspecified vectors.	2016年04月24日	4.3	CVE-2015-5370 CONFIRM
samba -- samba	The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings, as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security.	2016年04月24日	4.3	CVE-2016-2110 CONFIRM
samba -- samba	The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005.	2016年04月24日	4.3	CVE-2016-2111 CONFIRM
samba -- samba	The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream.	2016年04月24日	4.3	CVE-2016-2112 CONFIRM
samba -- samba	Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.	2016年04月24日	5.8	CVE-2016-2113 CONFIRM
samba -- samba	The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream.	2016年04月24日	4.3	CVE-2016-2114 CONFIRM
samba -- samba	Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream.	2016年04月24日	4.3	CVE-2016-2115 CONFIRM
squid -- squid_cache	Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data.	2016年04月25日	6.8	CVE-2016-4051 CONFIRM SECTRACK MLIST MLIST
squid -- squid_cache	Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses.	2016年04月25日	6.8	CVE-2016-4052 CONFIRM SECTRACK MLIST MLIST
squid -- squid_cache	Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization.	2016年04月25日	4.3	CVE-2016-4053 CONFIRM SECTRACK MLIST MLIST
squid -- squid_cache	Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.	2016年04月25日	6.8	CVE-2016-4054 CONFIRM SECTRACK MLIST MLIST
symantec -- messaging_gateway	The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input.	2016年04月22日	6.5	CVE-2016-2204 CONFIRM BID
wireshark -- wireshark	epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4006 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly initialize memory for search patterns, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4076 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on incorrect special-case handling of truncated Tvb data structures, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4077 CONFIRM MISC CONFIRM CONFIRM
wireshark -- wireshark	The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and epan/dissectors/packet-ieee80211.c.	2016年04月25日	4.3	CVE-2016-4078 CONFIRM CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4079 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4080 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4081 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4082 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 does not ensure that data is available before array allocation, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.	2016年04月25日	4.3	CVE-2016-4083 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 allows remote attackers to cause a denial of service (integer overflow and application crash) via a crafted packet that triggers an unexpected array size.	2016年04月25日	4.3	CVE-2016-4084 CONFIRM CONFIRM CONFIRM
wireshark -- wireshark	Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet.	2016年04月25日	4.3	CVE-2016-4085 CONFIRM CONFIRM CONFIRM

Low Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
blackberry -- enterprise_server	Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen.	2016年04月22日	3.5	CVE-2016-1916 CONFIRM
novell -- service_desk	Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter.	2016年04月22日	3.5	CVE-2016-1596 CONFIRM MISC MISC
symantec -- messaging_gateway	The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.	2016年04月22日	2.1	CVE-2016-2203 CONFIRM BID

Severity Not Yet Assigned

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
adobe -- reader	Double free vulnerability in Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X allows attackers to execute arbitrary code via a crafted Graphics State dictionary.	2016年04月30日	not yet calculated	CVE-2016-1111 CONFIRM MISC
apache_struts -- dynamic_method_invocation	Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.	2016年04月26日	not yet calculated	CVE-2016-3081 CONFIRM SECTRACK
apache_struts -- xsltresult	XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.	2016年04月26日	not yet calculated	CVE-2016-3082 SECTRACK CONFIRM
atom -- electron	Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line.	2016年04月25日	not yet calculated	CVE-2016-1202 CONFIRM CONFIRM JVNDB JVN
cisco -- api	The API in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.0(1) allows remote attackers to spoof administrative notifications via crafted attribute-value pairs, aka Bug ID CSCux15521.	2016年04月28日	not yet calculated	CVE-2016-1386 CISCO
cisco -- webex_meetings_server_(cwms)	Open redirect vulnerability in Cisco WebEx Meetings Server (CWMS) 2.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCuy44695.	2016年04月28日	not yet calculated	CVE-2016-1389 CISCO
cisco -- webex_productivity	Untrusted search path vulnerability in Cisco WebEx Productivity Tools 2.40.5001.10012 allows local users to gain privileges via a Trojan horse cryptsp.dll, dwmapi.dll, msimg32.dll, ntmarta.dll, propsys.dll, riched20.dll, rpcrtremote.dll, secur32.dll, sxs.dll, or uxtheme.dll file in the current working directory, aka Bug ID CSCuy56140.	2016年04月28日	not yet calculated	CVE-2016-4349 MISC
cisco -- xml_parser	The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCuy39059.	2016年04月30日	not yet calculated	CVE-2016-1343 CISCO
cybozu -- kintone_mobile	The Cybozu kintone mobile application 1.x before 1.0.6 for Android allows attackers to discover an authentication token via a crafted application.	2016年04月25日	not yet calculated	CVE-2016-1185 CONFIRM JVNDB JVN
ec_cube -- cross_site scripting_(xss)	Cross-site scripting (XSS) vulnerability in the shiro8 (1) category_freearea_ addition_plugin plugin 1.0 and (2) itemdetail_freearea_ addition_plugin plugin 1.0 for EC-CUBE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.	2016年04月27日	not yet calculated	CVE-2016-1205 CONFIRM JVNDB JVN
gd_graphics_library -- integer_signedness_error	Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.	2016年04月26日	not yet calculated	CVE-2016-3074 CONFIRM SECTRACK BUGTRAQ DEBIAN FULLDISC MISC
ibm -- db2	IBM DB2 9.7 through FP11, 9.8, 10.1 through FP5, and 10.5 through FP7 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted DRDA message.	2016年04月27日	not yet calculated	CVE-2016-0211 CONFIRM AIXAPAR AIXAPAR AIXAPAR AIXAPAR
linux -- arch/powerpc/kernel/process.c	The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.	2016年04月27日	not yet calculated	CVE-2015-8845 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- arch/x86/mm/mmap.c	The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.	2016年04月27日	not yet calculated	CVE-2016-3672 CONFIRM CONFIRM CONFIRM
linux -- arch/x86/mm/tlb.c	Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.	2016年04月27日	not yet calculated	CVE-2016-2069 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- drivers/infiniband/hw/cxgb3/iwch_cm.c	drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.	2016年04月27日	not yet calculated	CVE-2015-8812 CONFIRM CONFIRM MLIST CONFIRM
linux -- drivers/input/tablet/wacom_sys.c	The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.	2016年04月27日	not yet calculated	CVE-2016-3139 CONFIRM MISC CONFIRM CONFIRM CONFIRM MISC
linux -- drivers/usb/core/hub.c	The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.	2016年04月27日	not yet calculated	CVE-2015-8816 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- drivers/usb/serial/visor.c	The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.	2016年04月27日	not yet calculated	CVE-2016-2782 CONFIRM CONFIRM MLIST CONFIRM
linux -- fork_implementation	The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.	2016年04月27日	not yet calculated	CVE-2016-2143 CONFIRM CONFIRM CONFIRM
linux -- fs/pipe.c	The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.	2016年04月27日	not yet calculated	CVE-2016-0774 CONFIRM CONFIRM
linux -- integer_xt_alloc_table_info	Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.	2016年04月27日	not yet calculated	CVE-2016-3135 CONFIRM MISC CONFIRM CONFIRM
linux -- ipv4_implementation	The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.	2016年04月27日	not yet calculated	CVE-2016-3156 CONFIRM CONFIRM MLIST CONFIRM
linux -- kernel/bpf/verifier.c	The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions.	2016年04月27日	not yet calculated	CVE-2016-2383 CONFIRM CONFIRM MLIST CONFIRM
linux -- linux_kernel	The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.	2016年04月27日	not yet calculatednot yet calculated	CVE-2016-2550 CONFIRM CONFIRM MLIST CONFIRM
linux -- netfilter_subsystem	The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.	2016年04月27日	not yet calculated	CVE-2016-3134 CONFIRM MISC CONFIRM CONFIRM
linux -- powerpc_platforms	The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.	2016年04月27日	not yet calculated	CVE-2015-8844 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- security/integrity/evm/evm_main.c	The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack.	2016年04月27日	not yet calculated	CVE-2016-2085 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
linux -- sound/core/seq/seq_clientmgr.c	The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call.	2016年04月27日	not yet calculated	CVE-2016-2543 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- sound/core/timer.c	sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call.	2016年04月27日	not yet calculated	CVE-2016-2549 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- sound/core/timer.c	sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions.	2016年04月27日	not yet calculated	CVE-2016-2548 CONFIRM CONFIRM MLIST CONFIRM CONFIRM
linux -- sound/usb/quirks.c	The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.	2016年04月27日	not yet calculated	CVE-2016-2184 CONFIRM CONFIRM CONFIRM BUGTRAQ BUGTRAQ BUGTRAQ CONFIRM
linux -- suse_linux_enterprise_12_sp1	yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.	2016年04月26日	not yet calculated	CVE-2016-1601 CONFIRM CONFIRM SUSE
lockon -- ec_cube	Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators.	2016年04月30日	not yet calculated	CVE-2016-1201 CONFIRM CONFIRM JVNDB JVN
lockon -- ec_cube	The login page in the management screen in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to bypass intended IP address restrictions via unspecified vectors, a different vulnerability than CVE-2016-1200.	2016年04月30日	not yet calculated	CVE-2016-1199 CONFIRM CONFIRM JVNDB JVN
lockon -- ec_cube	The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1199.	2016年04月30日	not yet calculated	CVE-2016-1200 CONFIRM CONFIRM JVNDB JVN
mozilla -- android	Mozilla Firefox before 46.0 on Android before 5.0 allows attackers to bypass intended Signature access requirements via a crafted application that leverages content-provider permissions, as demonstrated by reading the browser history or a saved password.	2016年04月30日	not yet calculatednot yet calculated	CVE-2016-2810 CONFIRM CONFIRM
mozilla -- android	Mozilla Firefox before 46.0 on Android does not properly restrict _javascript_ access to orientation and motion data, which allows remote attackers to obtain sensitive information about a device's physical environment, and possibly discover PIN values, via a crafted web site, a similar issue to CVE-2016-1780.	2016年04月30日	not yet calculated	CVE-2016-2813 CONFIRM CONFIRM MISC
mozilla -- browser/components/extensions/ext_tabs.js	The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) _javascript_: or (2) data: URL.	2016年04月30日	not yet calculated	CVE-2016-2817 CONFIRM CONFIRM
mozilla -- browser_engine	Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.	2016年04月30日	not yet calculated	CVE-2016-2804 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- browser_engine	Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0 and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.	2016年04月30日	not yet calculated	CVE-2016-2806 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- browser_engine	Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.	2016年04月30日	not yet calculated	CVE-2016-2807 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM
mozilla -- browser_engine	Unspecified vulnerability in the browser engine in Mozilla Firefox ESR 38.x before 38.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.	2016年04月30日	not yet calculated	CVE-2016-2805 CONFIRM CONFIRM
mozilla -- content_security_policy_(csp)	Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type.	2016年04月30日	not yet calculated	CVE-2016-2816 CONFIRM CONFIRM
mozilla -- firefox_healthreports	The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.	2016年04月30日	not yet calculated	CVE-2016-2820 CONFIRM CONFIRM
mozilla -- heap_based_buffer_overflow	Heap-based buffer overflow in the stagefright::SampleTable::parseSampleCencInfo function in libstagefright in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allows remote attackers to execute arbitrary code via crafted CENC offsets that lead to mismanagement of the sizes table.	2016年04月30日	not yet calculated	CVE-2016-2814 CONFIRM CONFIRM
mozilla -- maintenance_service_updater	The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 on Windows allows user-assisted remote attackers to delete arbitrary files by leveraging certain local file execution.	2016年04月30日	CVE-2016-2809 CONFIRM CONFIRM
mozilla -- serviceworker_info	Use-after-free vulnerability in the ServiceWorkerInfo class in the Service Worker subsystem in Mozilla Firefox before 46.0 allows remote attackers to execute arbitrary code via vectors related to the BeginReading method.	2016年04月30日	not yet calculated	CVE-2016-2811 CONFIRM CONFIRM
mozilla -- serviceworker_manager	Race condition in the get implementation in the ServiceWorkerManager class in the Service Worker subsystem in Mozilla Firefox before 46.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site.	2016年04月30日	not yet calculated	CVE-2016-2812 CONFIRM CONFIRM
mozilla -- watch_implementation	The watch implementation in the _javascript_ engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allows remote attackers to execute arbitrary code or cause a denial of service (generation-count overflow, out-of-bounds HashMap write access, and application crash) via a crafted web site.	2016年04月30日	not yet calculated	CVE-2016-2808 CONFIRM CONFIRM
openssh -- session.c_sshd	The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.	2016年04月30日	not yet calculated	CVE-2015-8325 CONFIRM CONFIRM CONFIRM CONFIRM
syslink -- sl_1000_(m2m)_modular_gateway	flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter.	2016年04月25日	not yet calculated	CVE-2016-2332 CERT-VN
syslink -- sl_1000_(m2m)_modular_gateway	SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 use the same hardcoded encryption key across different customers' installations, which allows attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.	2016年04月25日	not yet calculated	CVE-2016-2333 CERT-VN
syslink -- sl_1000_(m2m)_modular_gateway	The web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors.	2016年04月25日	not yet calculated	CVE-2016-2331 CERT-VN
varnish -- stacked_installations	Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.	2016年04月25日	not yet calculated	CVE-2015-8852 MLIST CONFIRM CONFIRM MLIST MLIST DEBIAN
wireshark -- asn.1_ber	epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers an empty set.	2016年04月30日	not yet calculated	CVE-2016-4418 CONFIRM CONFIRM
wireshark -- asn.1_ber	epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and application crash) via a packet that specifies deeply nested data.	2016年04月30日	not yet calculated	CVE-2016-4421 CONFIRM CONFIRM
wireshark -- epan/dissectors/packet-gsm_abis_oml.c	Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A-bis OML dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers a 0xff tag value.	2016年04月30日	not yet calculated	CVE-2016-4417 CONFIRM CONFIRM
wireshark -- ieee_802.11_dissector	epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.2 mishandles the Grouping subfield, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.	2016年04月30日	not yet calculated	CVE-2016-4416 CONFIRM CONFIRM
wireshark -- ixia_ixveriwave	wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x before 2.0.2 incorrectly increases a certain octet count, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted file.	2016年04月30日	not yet calculated	CVE-2016-4415 CONFIRM MISC CONFIRM
wireshark -- nfs_dissector	The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.	2016年04月30日	not yet calculated	CVE-2016-4420 CONFIRM
wireshark -- spice	epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x before 2.0.2 mishandles capability data, which allows remote attackers to cause a denial of service (large loop) via a crafted packet.	2016年04月30日	not yet calculated	CVE-2016-4419 CONFIRM CONFIRM

This product is provided subject to this Notification and this Privacy & Use policy.

A copy of this publication is available at www.us-cert.gov. If you need help or have questions, please send an email to info@xxxxxxxxxxx. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@xxxxxxxxxxxxxxxx to your address book.

OTHER RESOURCES:

STAY CONNECTED:

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help

This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery