Oracle Linux Local Security Checks : Oracle: Security Advisory (ELSA-2014-1388)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.123288

Kategorie: Oracle Linux Local Security Checks

Titel: Oracle: Security Advisory (ELSA-2014-1388)

Zusammenfassung: The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.

Vulnerability Insight:
[1:1.4.2-67]
- Revert change to whitelist /rss/ resources, as this was not used
upstream.

[1:1.4.2-66]
- More STR #4461 fixes from upstream: make rss feeds world-readable,
but cachedir private.
- Fix icon display in web interface during server restart (STR #4475).

[1:1.4.2-65]
- Fixes for upstream patch for STR #4461: allow /rss/ requests for
files we created.

[1:1.4.2-64]
- Use upstream patch for STR #4461.

[1:1.4.2-63]
- Applied upstream patch to fix CVE-2014-5029 (bug #1122600),
CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767).
- Fix conf/log file reading for authenticated users (STR #4461).

[1:1.4.2-62]
- Fix CGI handling (STR #4454, bug #1120419).

[1:1.4.2-61]
- fix patch for CVE-2014-3537 (bug #1117794)

[1:1.4.2-60]
- CVE-2014-2856: cross-site scripting flaw (bug #1117798)
- CVE-2014-3537: insufficient checking leads to privilege escalation (bug #1117794)

[1:1.4.2-59]
- Removed package description changes.

[1:1.4.2-58]
- Applied patch to fix 'Bad request' errors as a result of adding in
httpSetTimeout (STR #4440, also part of svn revision 9967).

[1:1.4.2-57]
- Fixed timeout issue with cupsd reading when there is no data ready
(bug #1110045).

[1:1.4.2-56]
- Fixed synconclose patch to avoid 'too many arguments for format' warning.
- Fixed settimeout patch to include math.h for fmod declaration.

[1:1.4.2-55]
- Fixed typo preventing web interface from changing driver (bug #1104483,
STR #3601).
- Fixed SyncOnClose patch (bug #984883).

[1:1.4.2-54]
- Use upstream patch to avoid replaying GSS credentials (bug #1040293).

[1:1.4.2-53]
- Prevent BrowsePoll problems across suspend/resume (bug #769292):
- Eliminate indefinite wait for response (svn revision 9688).
- Backported httpSetTimeout API function from CUPS 1.5 and use it in
the ipp backend so that we wait indefinitely until the printer
responds, we get a hard error, or the job is cancelled.
- cups-polld: reconnect on error.
- Added new SyncOnClose directive to use fsync() after altering
configuration files: defaults to 'Yes'. Adjust in cupsd.conf (bug #984883).
- Fix cupsctl man page typo (bug #1011076).
- Use more portable rpm specfile syntax for conditional php building
(bug #988598).
- Fix SetEnv directive in cupsd.conf (bug #986495).
- Fix 'collection' attribute sending (bug #978387).
- Prevent format_log segfault (bug #971079).
- Prevent stringpool corruption (bug #884851).
- Don't crash when job queued for printer that times out (bug #855431).
- Upstream patch for broken multipart handling (bug #852846).
- Install /etc/cron.daily/cups with correct permissions (bug #1012482).

Affected Software/OS:
'cups' package(s) on Oracle Linux 6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-2856
BugTraq ID: 66788
http://www.securityfocus.com/bid/66788
http://www.mandriva.com/security/advisories?name=MDVSA-2015:108
http://www.openwall.com/lists/oss-security/2014/04/14/2
http://www.openwall.com/lists/oss-security/2014/04/15/3
RedHat Security Advisories: RHSA-2014:1388
http://rhn.redhat.com/errata/RHSA-2014-1388.html
http://secunia.com/advisories/57880
http://www.ubuntu.com/usn/USN-2172-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-3537
1030611
http://www.securitytracker.com/id/1030611
59945
http://secunia.com/advisories/59945
60273
http://secunia.com/advisories/60273
60787
http://secunia.com/advisories/60787
68788
http://www.securityfocus.com/bid/68788
APPLE-SA-2014-10-16-1
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
FEDORA-2014-8351
http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html
MDVSA-2015:108
RHSA-2014:1388
USN-2293-1
http://www.ubuntu.com/usn/USN-2293-1
http://advisories.mageia.org/MGASA-2014-0313.html
http://www.cups.org/blog.php?L724
http://www.cups.org/str.php?L4450
https://bugzilla.redhat.com/show_bug.cgi?id=1115576
https://support.apple.com/kb/HT6535
Common Vulnerability Exposure (CVE) ID: CVE-2014-5029
Debian Security Information: DSA-2990 (Google Search)
http://www.debian.org/security/2014/dsa-2990
http://www.openwall.com/lists/oss-security/2014/07/22/2
http://www.openwall.com/lists/oss-security/2014/07/22/13
http://secunia.com/advisories/60509
http://www.ubuntu.com/usn/USN-2341-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-5030
Common Vulnerability Exposure (CVE) ID: CVE-2014-5031

Copyright Copyright (C) 2015 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.123288
Kategorie:	Oracle Linux Local Security Checks
Titel:	Oracle: Security Advisory (ELSA-2014-1388)
Zusammenfassung:	The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory. Vulnerability Insight: [1:1.4.2-67] - Revert change to whitelist /rss/ resources, as this was not used upstream. [1:1.4.2-66] - More STR #4461 fixes from upstream: make rss feeds world-readable, but cachedir private. - Fix icon display in web interface during server restart (STR #4475). [1:1.4.2-65] - Fixes for upstream patch for STR #4461: allow /rss/ requests for files we created. [1:1.4.2-64] - Use upstream patch for STR #4461. [1:1.4.2-63] - Applied upstream patch to fix CVE-2014-5029 (bug #1122600), CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767). - Fix conf/log file reading for authenticated users (STR #4461). [1:1.4.2-62] - Fix CGI handling (STR #4454, bug #1120419). [1:1.4.2-61] - fix patch for CVE-2014-3537 (bug #1117794) [1:1.4.2-60] - CVE-2014-2856: cross-site scripting flaw (bug #1117798) - CVE-2014-3537: insufficient checking leads to privilege escalation (bug #1117794) [1:1.4.2-59] - Removed package description changes. [1:1.4.2-58] - Applied patch to fix 'Bad request' errors as a result of adding in httpSetTimeout (STR #4440, also part of svn revision 9967). [1:1.4.2-57] - Fixed timeout issue with cupsd reading when there is no data ready (bug #1110045). [1:1.4.2-56] - Fixed synconclose patch to avoid 'too many arguments for format' warning. - Fixed settimeout patch to include math.h for fmod declaration. [1:1.4.2-55] - Fixed typo preventing web interface from changing driver (bug #1104483, STR #3601). - Fixed SyncOnClose patch (bug #984883). [1:1.4.2-54] - Use upstream patch to avoid replaying GSS credentials (bug #1040293). [1:1.4.2-53] - Prevent BrowsePoll problems across suspend/resume (bug #769292): - Eliminate indefinite wait for response (svn revision 9688). - Backported httpSetTimeout API function from CUPS 1.5 and use it in the ipp backend so that we wait indefinitely until the printer responds, we get a hard error, or the job is cancelled. - cups-polld: reconnect on error. - Added new SyncOnClose directive to use fsync() after altering configuration files: defaults to 'Yes'. Adjust in cupsd.conf (bug #984883). - Fix cupsctl man page typo (bug #1011076). - Use more portable rpm specfile syntax for conditional php building (bug #988598). - Fix SetEnv directive in cupsd.conf (bug #986495). - Fix 'collection' attribute sending (bug #978387). - Prevent format_log segfault (bug #971079). - Prevent stringpool corruption (bug #884851). - Don't crash when job queued for printer that times out (bug #855431). - Upstream patch for broken multipart handling (bug #852846). - Install /etc/cron.daily/cups with correct permissions (bug #1012482). Affected Software/OS: 'cups' package(s) on Oracle Linux 6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-2856 BugTraq ID: 66788 http://www.securityfocus.com/bid/66788 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/04/14/2 http://www.openwall.com/lists/oss-security/2014/04/15/3 RedHat Security Advisories: RHSA-2014:1388 http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/57880 http://www.ubuntu.com/usn/USN-2172-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-3537 1030611 http://www.securitytracker.com/id/1030611 59945 http://secunia.com/advisories/59945 60273 http://secunia.com/advisories/60273 60787 http://secunia.com/advisories/60787 68788 http://www.securityfocus.com/bid/68788 APPLE-SA-2014-10-16-1 http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html FEDORA-2014-8351 http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html MDVSA-2015:108 RHSA-2014:1388 USN-2293-1 http://www.ubuntu.com/usn/USN-2293-1 http://advisories.mageia.org/MGASA-2014-0313.html http://www.cups.org/blog.php?L724 http://www.cups.org/str.php?L4450 https://bugzilla.redhat.com/show_bug.cgi?id=1115576 https://support.apple.com/kb/HT6535 Common Vulnerability Exposure (CVE) ID: CVE-2014-5029 Debian Security Information: DSA-2990 (Google Search) http://www.debian.org/security/2014/dsa-2990 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://secunia.com/advisories/60509 http://www.ubuntu.com/usn/USN-2341-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-5030 Common Vulnerability Exposure (CVE) ID: CVE-2014-5031
Copyright	Copyright (C) 2015 Greenbone AG