Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and implementation errors may lead to the execution of arbitrary
code or information disclosure.
Jakub Wilk discovered that unace, an utility to extract, test and view
.ace archives, contained an integer overflow leading to a buffer
overflow. If a user or automated system were tricked into processing a
specially crafted ace archive, an attacker could cause a denial of
service (application crash) or, possibly, execute arbitrary code.
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors and
implementation errors may lead to the execution of arbitrary code or
It was discovered that libgtk2-perl, a Perl interface to the 2.x series
of the Gimp Toolkit library, incorrectly frees memory which GTK+ still
holds onto and might access later, leading to denial of service
(application crash) or, potentially, to arbitrary code execution.
Peter De Wachter discovered that CUPS, the Common UNIX Printing
System, did not correctly parse compressed raster files. By submitting
a specially crafted raster file, a remote attacker could use this
vulnerability to trigger a buffer overflow.
Richard van Eeden of Microsoft Vulnerability Research discovered that
Samba, a SMB/CIFS file, print, and login server for Unix, contains a
flaw in the netlogon server code which allows remote code execution with
root privileges from an unauthenticated connection.
Kousuke Ebihara discovered that redcloth, a Ruby module used to
convert Textile markup to HTML, did not properly sanitize its
input. This allowed a remote attacker to perform a cross-site
Jakub Wilk reported that sudo, a program designed to provide limited
super user privileges to specific users, preserves the TZ variable from
a user's environment without any sanitization. A user with sudo access
may take advantage of this to exploit bugs in the C library functions
which parse the TZ environment variable or to open files that the user
would not otherwise be able to open. The later could potentially cause
changes in system behavior when reading certain device special files or
cause the program run via sudo to block.
Jose Duart of the Google Security Team discovered a buffer overflow
in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file
systems. This issue can possibly lead to arbitrary code execution if
a malicious device is plugged in, the system is configured to
automatically mount it, and the mounting process chooses to run fsck
on the device's malicious filesystem.
It was discovered that LibreOffice, an office productivity suite, could
try to write to invalid memory areas when importing malformed RTF files.
This could allow remote attackers to cause a denial of service (crash)
or arbitrary code execution via crafted RTF files.
Jan-Piet Mens discovered that the BIND DNS server would crash when
processing an invalid DNSSEC key rollover, either due to an error on
the zone operator's part, or due to interference with network traffic
by an attacker. This issue affects configurations with the directives
"dnssec-validation auto;" (as enabled in the Debian default
configuration) or "dnssec-lookaside auto;".
Simon McVittie discovered a local denial of service flaw in dbus, an
asynchronous inter-process communication system. On systems with
systemd-style service activation, dbus-daemon does not prevent forged
ActivationFailure messages from non-root processes. A malicious local
user could use this flaw to trick dbus-daemon into thinking that systemd
failed to activate a system service, resulting in an error reply back to
It was discovered that the REXML parser, part of the interpreter for the
Ruby language, could be coerced into allocating large string objects that
could consume all available memory on the system. This could allow remote
attackers to cause a denial of service (crash).
Michal Zalewski and Hanno Boeck discovered several vulnerabilities in
unrtf, a RTF to other formats converter, leading to a denial of service
(application crash) or, potentially, the execution of arbitrary code.
A flaw was found in the test_compr_eb() function allowing out-of-bounds
read and write access to memory locations. By carefully crafting a
corrupt ZIP archive an attacker can trigger a heap overflow, resulting
in application crash or possibly having other unspecified impact.
Florian Weimer, of Red Hat Product Security, discovered an issue in
condor, a distributed workload management system. Upon job completion,
it can optionally notify a user by sending an email; the mailx
invocation used in that process allowed for any authenticated user
able to submit jobs, to execute arbitrary code with the privileges of
the condor user.
With Linux 4.0, you may never need to reboot your operating system again.
One reason to love Linux on your servers or in your data-center is that you so seldom needed to reboot it. True, critical patches require a reboot, but you could go months without rebooting. Now, with the latest changes to the Linux kernel you may be able to go years between reboots.
Following the hugely successful campaign for the new Pebble Time, Pebble is back with two new products: smartstraps and a whole new Pebble, the Pebbble Time Steel. Let's start with smartstraps - an idea so simple it's almost silly that Google and Apple didn't come up with it first.
Rather than trying to shove every sensor and doohickey into the Pebble Time, we decided to keep the watch simple and functional and give our incredible maker and developer community the opportunity to build from there. Up until now, if you wanted it all you had to compromise... On battery life, size, design or feature set. Not anymore.
That's why we created Pebble smartstraps. It's simple: straps can now contain electronics and sensors to interface directly with apps running on Pebble Time.
Second, the Pebble Time Steel. It's a more luxurious, metal version of the Pebble Time, but aside from its more premium feel and design, it also sports a larger battery (10 days of use instead of 7 days) and its screen is bonded with the glass. For the rest, it's identical to the Time. I can't believe I'm saying this, but I'm totally loving the gold version with the red band - for a square watch, it simply looks really, really good.
In fact, for me, that specific model is the first Pebble I'd consider wearing. It combines an attractive design with Pebble's superior (over Wear and the Apple Watch) functionality. This could be a winner.
Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods - often from Apple Stores - with stolen identities and credit card details.
Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.
The crooks have not broken the secure encryption around Apple Pay's fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to âprovisionâ the victimâs card on the phone to use it to buy goods.
Criminals, uh, find a way.
Tomasz Jokiel has announced the release of Porteus Kiosk 3.3.0, a lightweight Gentoo-based distribution designed for web kiosks: "I'm happy to announce Porteus Kiosk 3.3.0 which is now available for download. This is a major kiosk release which brings a number of new features, package upgrades and security....
This week in DistroWatch Weekly: Reviews: First look at Sabayon 15.02News: Debian works toward reproducible builds, Linux Mint tests its upcoming Debian Edition, new YaST modules coming to openSUSE and the Linux kernel gets a version bumpTips and Tricks: Choosing good passwordsTorrent Corner: ArchBang, Greenie, KaOS, Tails,....
David Purse has announced the availability of Simplicity Linux 15.4 beta, a lightweight Puppy-based distribution - now also available in a 64-bit flavour: "Simplicity Linux 15.4 alpha is now available for download. This release cycle marks the start of a new chapter for Simplicity: you can now get....