前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Red Hat安全公告—2016年10月

Red Hat安全公告—2016年10月

作者头像
嘉为蓝鲸
发布2018-12-21 10:43:10
6500
发布2018-12-21 10:43:10
举报
文章被收录于专栏:嘉为蓝鲸的专栏

在2016年9月份至2016年10月份 Red hat CVE漏洞库发布了7个“重要”“严重”等级的安全漏洞,针对出现的安全漏洞,发布了对应的Bugzilla。安全公告每月更新一次,旨在查找解决严重的漏洞问题。


2016年10月新的安全漏洞

以下是所有安全公告的内容,供您参考。

CVE名称

等级

影响组件

发布时间

CVE-2016-6325

Important

tomcat、tomcat5、tomcat6

2016/10/10

CVE-2016-5425

Important

tomcat

2016/10/10

CVE-2016-7039

Important

kernel-rt

2016/10/10

CVE-2016-2776

Important

bind、bind97

2016/9/27

CVE-2016-7050

Important

resteasy-base

2016/9/23

CVE-2016-6304

Important

openssl

2016/9/22

CVE-2016-7545

Important

policycoreutils

2016/9/22

关于这些新发布的所有安全漏洞,可在以下页面中找到详细信息:

https://access.redhat.com/security/cve/

备注:需使用您的Red Hat账号登录,方可查看全部安全漏洞详细信息。


安全漏洞详细信息

公告标识 CVE-2016-6325

标题

CVE-2016-6325

描述

It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.

Find out more about CVE-2016-6325 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 5 (tomcat5)

Red Hat Enterprise Linux 6 (tomcat6)

Red Hat Enterprise Linux 7 (tomcat)

Bugzilla

1367447: CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation

详细信息

https://access.redhat.com/security/cve/cve-2016-6325

公告标识 CVE-2016-5425

标题

CVE-2016-5425

描述

It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.

Find out more about CVE-2016-5425 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 7 (tomcat)

Bugzilla

1362545: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service

详细信息

https://access.redhat.com/security/cve/cve-2016-5425

公告标识 CVE-2016-7039

标题

CVE-2016-7039

描述

Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel.

Find out more about CVE-2016-7039 from the MITRE CVE dictionary dictionary and NIST NVD

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 7 (kernel-rt)

Bugzilla

1375944: CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash

详细信息

https://access.redhat.com/security/cve/cve-2016-7039

公告标识 CVE-2016-2776

标题

CVE-2016-2776

描述

A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet.

Find out more about CVE-2016-2776 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 7 (bind)

Red Hat Enterprise Linux 5 (bind)

Red Hat Enterprise Linux 5 (bind97)

Red Hat Enterprise Linux 6 (bind)

Bugzilla

1378380: CVE-2016-2776 bind: assertion failure in buffer.c while building responses to a specifically constructed request

详细信息

https://access.redhat.com/security/cve/cve-2016-2776

公告标识 CVE-2016-7050

标题

CVE-2016-7050

描述

Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to launch a remote code execution attack.

Find out more about CVE-2016-7050 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 7 (resteasy-base )

Bugzilla

1378613: CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data

详细信息

https://access.redhat.com/security/cve/cve-2016-7050

公告标识 CVE-2016-6304

标题

CVE-2016-6304

描述

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.

Find out more about CVE-2016-6304 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 6 (openssl)

Red Hat Enterprise Linux 7 (openssl)

Bugzilla

1377600: CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth

详细信息

https://access.redhat.com/security/cve/cve-2016-6304

公告标识 CVE-2016-7545

标题

CVE-2016-7545

描述

It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent bash, escaping the sandbox.

Find out more about CVE-2016-7545 from the MITRE CVE dictionary dictionary and NIST NVD.

最高严重等级

Important

漏洞的影响

Red Hat Enterprise Linux 7 (policycoreutils )

Red Hat Enterprise Linux 6 ( policycoreutils )

Bugzilla

1378577: CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl

详细信息

https://access.redhat.com/security/cve/cve-2016-3610

注意和免责声明

关于信息的一致性:

如果Redhat CVE漏洞库网站上的安全公告内容和本文中的内容不一致,请以网站上的安全公告内容为准。

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2016-10-18,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 嘉为科技 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档