/
Release Notes for Snare Central v7.1.3

Release Notes for Snare Central v7.1.3

Owned by Andrew Madge
Mar 05, 2019

Snare Central v7.1.3 was released on 8th December 2016

New Features

  • New objectives have been added for Palo Alto Networks firewalls. Objectives can be selected using the "Change Objective Type" button in the Objective Configuration window.
  • Sample objectives for Palo Alto Networks firewalls, F5 ASM violation logs, Sidewinder firewalls, and Web Server response codes, have been added to the default installation list.

Enhancements

  • Increased the maximum values for large queries in the Snare Configuration Wizard under the Performance and Hardware tab. Queries are now allowed to run for up to 600 minutes, and use more than 5 million rows in the report. Use the larger settings with caution as they can result in significant memory usage at both the server end, and within the browser if very large reports are created.
  • Additional support for incoming RFC 5424 syslog messages: The collection subsystem will now process messages that do not quite meet the RFC5424 standard, but are close enough to meeting the specification that we can still derive essential details.
  • Additional support for collecting data from PaloAlto firewalls.
  • Oracle tabular output will now append useful textual representations to the ACTION and PRIVILEGE numbers reported by Oracle. The dynamic query configuration panel will also allow you to select ACTION/PRIV elements by their textual representation.
  • Improved handling of TCP/TLS connections. Gracefully shut down TLS connections as per the RFC when the server disconnects the client and deal with some rare TCP cases better where sockets took longer to shutdown than expected.
  • For updates specifically from Snare Server v7.1.2 or above, operating system package updates have been rolled back into the normal update process, rather than running as a post-update addendum. Additional feedback on what is being updated, is available to the user updating the system.

Bug Fixes

  • The AMC was not handling more complex session tokens that were add in with the 4.3.7 windows agent as they can now include special characters as a result of the increased entropy on the agents session tokens. The AMC now correctly handles session tokens that have special characters in them.
  • Fixed a condition in which Snare Collector may terminate at some indeterminate time due to a failed attempt to allocate memory.
  • The SnareCollector WebUI released with 7.1.2 was incompatible with the associated PhantomJS web-page imaging software. This caused the charts of Destinations under "Configure Snare Server Collector/Reflector" to not appear. This is now resolved.
  • The Syslog RFC-5424 header format is PRI VERSION TIMESTAMP HOSTNAME where HOSTNAME is defined to be either a NILVALUE ("-") or an ASCII string. For example:
    <34>1 2003-10-11T22:14:15.003Z mymachine.example.com <34>1 2003-10-11T22:14:15.003Z
    Snare Server will now detect a "-" or invalid/missing hostname and insert the IP address of the source into each event under the following configurations:
    1. Syslog RFC5424 input into Snare Server and reflecting to a destination using RFC-3164 format.
    2. Syslog RFC3164 input into Snare Server and reflecting to a destination using RFC-5424 format.
    Note that Snare Server will not modify the event stream if the incoming format and the destination format are the same (for example RFC-3164 to RFC3164 or RFC-5424 to RFC-5424).
  • Corrected issue where the creation of the ISO image via Data Backup could not be downloaded after it was created in the System | Data Backup | Data Backup web UI and would show a blank screen. The download process now correctly works and downloads to the browser.
  • SMTP port test now works for port numbers other than port 25 as is common for sites that only use SSL or TLS email ports. Additional feedback is available for circumstances where there are problems with email delivery.
  • Modifications to the DNS server configuration from either the Snare Server UI, or the console administration menu, will now correctly survive a reboot.
  • The file permissions on the TLS server pem file have been strengthened to 600 to be read/write by the root user.

Operating System Updates

UpdateSnare Server ImpactDetails

accountsservice has been upgraded from 0.6.35-0ubuntu7.2 to 0.6.35-0ubuntu7.3

libaccountsservice0:amd64 has been upgraded from 0.6.35-0ubuntu7.2 to 0.6.35-0ubuntu7.3

Minimal

accountsservice (0.6.35-0ubuntu7.3) trusty; urgency=medium

              

* debian/patches/wtmp-fix-logout.patch:

- Backport 0.6.43 commit to fix logout records when a user shuts down or restarts their computer (LP: #1443052)

apt has been upgraded from 1.0.1ubuntu2.14 to 1.0.1ubuntu2.15

Nil


apt-transport-https has been upgraded from 1.0.1ubuntu2.14 to 1.0.1ubuntu2.15

Nil


apt-utils has been upgraded from 1.0.1ubuntu2.14 to 1.0.1ubuntu2.15

Nil


bind9-host has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
dnsutils has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
libbind9-90 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
libdns100 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
libisc95 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
libisccc90 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
libisccfg90 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10
liblwres90 has been upgraded from 1:9.9.5.dfsg-3ubuntu0.8 to 1:9.9.5.dfsg-3ubuntu0.10

Minimal.

The Snare Server does not attempt to resolv DNS entries exter

nal to the organisational network boundary, except for the following cases:

* When the objective "Import Objectives" is accessed, under direction from the logged-in user, the server will attempt to connect to the InterSect Alliance support site to download additional objectives.

bind9 (1:9.9.5.dfsg-3ubuntu0.10) trusty-security; urgency=medium

* SECURITY UPDATE: denial of service via responses containing a DNAME answer
- lib/dns/resolver.c: remove assertion failure.
- patch backported from 9.9.9-P4.
- CVE-2016-8864

clamav has been upgraded from 0.98.7+dfsg-0ubuntu0.14.04.1 to 0.99.2+addedllvm-0ubuntu0.14.04.1

clamav-base has been upgraded from 0.98.7+dfsg-0ubuntu0.14.04.1 to 0.99.2+addedllvm-0ubuntu0.14.04.1

clamav-freshclam has been upgraded from 0.98.7+dfsg-0ubuntu0.14.04.1 to 0.99.2+addedllvm-0ubuntu0.14.04.1

libclamav6 has been removed from the system, and replaced with libclamav7

Low.

ClamAV is disabled by default on the Snare Server. If enabled, the "home directory only" and "exclude the data store" options will bypass locations where an unauthenticated user could potentially inject data (via crafted event data).

clamav (0.99.2+addedllvm-0ubuntu0.14.04.1) trusty-security; urgency=medium

* Updated to 0.99.2 to fix multiple security issues
- CVE-2016-1371
- CVE-2016-1372
- CVE-2016-1405
* Removed patches no longer required
- 0003-unit_tests-increment-test-timeout-from-40secs-to-5mi.patch
- 0006-remove-unnecessary-harmful-flags-from-libclamav.pc.patch
- 0010-hardcode-LLVM-linker-flag-because-llvm-config-return.patch
- 0018-llvm-don-t-use-system-libs.patch
* debian/clamav-base.postinst.in: updated to handle new options
- OnAccessMountPath
- OnAccessDisableDDD
- OnAccessPrevention
- OnAccessExtraScanning
- PCREMatchLimit
- PCRERecMatchLimit
- PCREMaxFileSize
- ScanXMLDOCS
- ScanHWP3
- MaxRecHWP3
* debian/*: rename libclamav6 to libclamav7.
* debian/control: add libpcre3-dev to Build-Depends as new signatures rely on PCRE support.

curl has been upgraded from 7.35.0-1ubuntu2.9 to 7.35.0-1ubuntu2.10

Low.

Although the curl binary is installed and available, it is used on a limited basis to collect user and group data from internal data sources, and eventlog information from Lotus Notes/Domino servers. It does not attempt to connect to external sources, unless explicitly misconfigured.

curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium

* SECURITY UPDATE: Incorrect reuse of client certificates with NSS
- debian/patches/CVE-2016-7141.patch: refuse previously loaded certificate from file in lib/vtls/nss.c.- CVE-2016-7141
* SECURITY UPDATE: curl escape and unescape integer overflows
- debian/patches/CVE-2016-7167.patch: deny negative string length inputs in lib/escape.c.
- CVE-2016-7167
* SECURITY UPDATE: cookie injection for other servers
- debian/patches/CVE-2016-8615.patch: ignore lines that are too long in lib/cookie.c.
- CVE-2016-8615
* SECURITY UPDATE: case insensitive password comparison
- debian/patches/CVE-2016-8616.patch: use case sensitive user/password comparisons in lib/url.c.
- CVE-2016-8616
* SECURITY UPDATE: OOB write via unchecked multiplication
- debian/patches/CVE-2016-8617.patch: check for integer overflow on large input in lib/base64.c.
- CVE-2016-8617
* SECURITY UPDATE: double-free in curl_maprintf
- debian/patches/CVE-2016-8618.patch: detect wrap-around when growing allocation in lib/mprintf.c.
- CVE-2016-8618
* SECURITY UPDATE: double-free in krb5 code
- debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
- CVE-2016-8619
* SECURITY UPDATE: glob parser write/read out of bounds
- debian/patches/CVE-2016-8620.patch: stay within bounds in src/tool_urlglob.c.
- CVE-2016-8620
* SECURITY UPDATE: curl_getdate read out of bounds
- debian/patches/CVE-2016-8621.patch: handle cut off numbers better in lib/parsedate.c, added tests to tests/data/test517, tests/libtest/lib517.c.
- CVE-2016-8621
* SECURITY UPDATE: URL unescape heap overflow via integer truncation
- debian/patches/CVE-2016-8622.patch: avoid integer overflow in lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
- CVE-2016-8622
* SECURITY UPDATE: Use-after-free via shared cookies
- debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies in lib/cookie.c, lib/cookie.h, lib/http.c.
- CVE-2016-8623
* SECURITY UPDATE: invalid URL parsing with #
- debian/patches/CVE-2016-8624.patch: accept # as end of host name in lib/url.c.
- CVE-2016-8624

dbus has been upgraded from 1.6.18-0ubuntu4.3 to 1.6.18-0ubuntu4.4

dbus-x11 has been upgraded from 1.6.18-0ubuntu4.3 to 1.6.18-0ubuntu4.4

libdbus-1-3:amd64 has been upgraded from 1.6.18-0ubuntu4.3 to 1.6.18-0ubuntu4.4

Low.

Locally logged in users could potentially initiate a limited local denial-of-service against the kernel. Since the Snare Server does not provide general purpose computing resources, the availability of local user accounts is extremely targeted and limited.

dbus (1.6.18-0ubuntu4.4) trusty-security; urgency=medium

* SECURITY UPDATE: denial of service via ActivationFailure signal race
- debian/patches/CVE-2015-0245.patch: prevent forged ActivationFailure from non-root processes in bus/system.conf.in.
- CVE-2015-0245
* SECURITY UPDATE: arbitrary code execution or denial of service via format string vulnerability
- debian/patches/format_string.patch: do not use non-literal format string in bus/activation.c.
- No CVE number

hhvm has been upgraded from 3.15.0~trusty to 3.15.2~trusty

Nil


isc-dhcp-client has been upgraded from 4.2.4-7ubuntu12.6 to 4.2.4-7ubuntu12.7

isc-dhcp-common has been upgraded from 4.2.4-7ubuntu12.6 to 4.2.4-7ubuntu12.7

Nil

isc-dhcp (4.2.4-7ubuntu12.7) trusty; urgency=medium

* Don't assume IPv6 prefix length of 64 (LP: #1609898).
Pulled from debian commit c347ab8a43587164486ce1f104eedfd638594e59.

libapache2-mod-php5 has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5 has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5 has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-cli has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-common has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-curl has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20        

php5-gd has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20        

php5-ldap has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-readline has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-sqlite has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

php5-sybase has been upgraded from 5.5.9+dfsg-1ubuntu4.19 to 5.5.9+dfsg-1ubuntu4.20

Low.

  * Although serialized data is processed by the Snare Server, the creation of the serialized information is not under the control of the user; autheticated or otherwise.

  * Importing image data is not available within the Snare Server, and whilst gd is used in some circumstances to create graphs and related objects, only summarised externally-submitted data is used.

  * WDXX functions are not in use.

  * Mysql functions are not in use.

  * Zip functions are not in use.

  * ICU library functions are not in use.

php5 (5.5.9+dfsg-1ubuntu4.20) trusty-security; urgency=medium

* SECURITY UPDATE: denial of service or code execution via crafted serialized data
- debian/patches/CVE-2016-7124-1.patch: destroy broken object when unserializing in ext/standard/var_unserializer.c*, added tests to ext/standard/tests/strings/bug72663.phpt, ext/standard/tests/strings/bug72663_2.phpt.
- debian/patches/CVE-2016-7124-2.patch: improve fix in ext/standard/var_unserializer.c*, added test to ext/standard/tests/strings/bug72663_3.phpt.
- CVE-2016-7124
* SECURITY UPDATE: arbitrary-type session data injection
- debian/patches/CVE-2016-7125.patch: consume data even if not storing in ext/session/session.c, added test to ext/session/tests/bug72681.phpt.
- debian/patches/CVE-2016-7125-2.patch: remove unused label in ext/session/session.c.
- CVE-2016-7125
* SECURITY UPDATE: denial of service and possible code execution in imagegammacorrect function
- debian/patches/CVE-2016-7127.patch: check gamma values in ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
- CVE-2016-7127
* SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
- debian/patches/CVE-2016-7128.patch: properly handle thumbnails in ext/exif/exif.c.
- CVE-2016-7128
* SECURITY UPDATE: denial of service and possible code execution via invalid ISO 8601 time value
- debian/patches/CVE-2016-7129.patch: properly handle strings in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
- CVE-2016-7129
* SECURITY UPDATE: denial of service and possible code execution via invalid base64 binary value
- debian/patches/CVE-2016-7130.patch: properly handle string in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
- CVE-2016-7130
* SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document
- debian/patches/CVE-2016-7131.patch: added check to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt.
- CVE-2016-7131
- CVE-2016-7132
* SECURITY UPDATE: denial of service and possible code execution via partially constructed object
- debian/patches/CVE-2016-7411.patch: properly handle partial object in ext/standard/var_unserializer.*, added test to ext/standard/tests/serialize/bug73052.phpt.
- CVE-2016-7411
* SECURITY UPDATE: denial of service and possible code execution via crafted field metadata in MySQL driver
- debian/patches/CVE-2016-7412.patch: validate field length in ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2016-7412
* SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document
- debian/patches/CVE-2016-7413.patch: fixed use-after-free in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
- CVE-2016-7413
* SECURITY UPDATE: denial of service and possible code execution via crafted PHAR archive
- debian/patches/CVE-2016-7414.patch: validate signatures in ext/phar/util.c, ext/phar/zip.c.
- CVE-2016-7414
* SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
- debian/patches/CVE-2016-7416.patch: added locale length check to ext/intl/msgformat/msgformat_format.c.
- CVE-2016-7416
* SECURITY UPDATE: denial of service or code execution via crafted serialized data
- debian/patches/CVE-2016-7417.patch: added type check to ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt.
- debian/patches/CVE-2016-7417-2.patch: fix test in ext/spl/tests/bug70068.phpt.
- CVE-2016-7417
* SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document
- debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
- CVE-2016-7418

libapt-inst1.5:amd64 has been upgraded from 1.0.1ubuntu2.14 to 1.0.1ubuntu2.15

Nil

Functionality modifications for extracting information from APT packages

libapt-pkg4.12:amd64 has been upgraded from 1.0.1ubuntu2.14 to 1.0.1ubuntu2.15

Nil

Documentation for development of the APT package manipulation program.

libcurl3:amd64 has been upgraded from 7.35.0-1ubuntu2.9 to 7.35.0-1ubuntu2.10

libcurl3-gnutls:amd64 has been upgraded from 7.35.0-1ubuntu2.9 to 7.35.0-1ubuntu2.10

Low.

Libcurl is used via the php curl extension to query Snare Server agents. If the Snare Server is configured to automatically query/update any client that reports to it, via the Snare Server agent console, a user on the local network that has sent data to the Snare Server and has the ability to configure a http-compatible listener on their local machine could configure an arbitrary response to be sent back to the Snare server. However, the impact at this stage has been assessed as Low, since none of descriptions of the CVEs specified below indicate issues with the small subset of libcurl functions currently used by the Snare Server to collect data.

curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium

* SECURITY UPDATE: Incorrect reuse of client certificates with NSS
- debian/patches/CVE-2016-7141.patch: refuse previously loaded certificate from file in lib/vtls/nss.c.
- CVE-2016-7141
* SECURITY UPDATE: curl escape and unescape integer overflows
- debian/patches/CVE-2016-7167.patch: deny negative string length inputs in lib/escape.c.
- CVE-2016-7167
* SECURITY UPDATE: cookie injection for other servers
- debian/patches/CVE-2016-8615.patch: ignore lines that are too long in lib/cookie.c.
- CVE-2016-8615
* SECURITY UPDATE: case insensitive password comparison
- debian/patches/CVE-2016-8616.patch: use case sensitive user/password comparisons in lib/url.c.
- CVE-2016-8616
* SECURITY UPDATE: OOB write via unchecked multiplication
- debian/patches/CVE-2016-8617.patch: check for integer overflow on large input in lib/base64.c.
- CVE-2016-8617
* SECURITY UPDATE: double-free in curl_maprintf- debian/patches/CVE-2016-8618.patch: detect wrap-around when growing allocation in lib/mprintf.c.
- CVE-2016-8618
* SECURITY UPDATE: double-free in krb5 code
- debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
- CVE-2016-8619
* SECURITY UPDATE: glob parser write/read out of bounds
- debian/patches/CVE-2016-8620.patch: stay within bounds in src/tool_urlglob.c.
- CVE-2016-8620
* SECURITY UPDATE: curl_getdate read out of bounds
- debian/patches/CVE-2016-8621.patch: handle cut off numbers better in lib/parsedate.c, added tests to tests/data/test517, tests/libtest/lib517.c.
- CVE-2016-8621
* SECURITY UPDATE: URL unescape heap overflow via integer truncation
- debian/patches/CVE-2016-8622.patch: avoid integer overflow in lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
- CVE-2016-8622
* SECURITY UPDATE: Use-after-free via shared cookies
- debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies in lib/cookie.c, lib/cookie.h, lib/http.c.
- CVE-2016-8623
* SECURITY UPDATE: invalid URL parsing with #
- debian/patches/CVE-2016-8624.patch: accept # as end of host name in lib/url.c.
- CVE-2016-8624

libgd3:amd64 has been upgraded from 2.1.0-3ubuntu0.3 to 2.1.0-3ubuntu0.5

Minimal.

The Snare Server does not use the functions highlighted below, and/or does not allow unrestricted user input when creating images using the GD library.

libgd2 (2.1.0-3ubuntu0.5) trusty-security; urgency=medium

* SECURITY UPDATE: denial of service via invalid read in gdImageCreateFromTiffPtr()
- debian/patches/CVE-2016-6911.patch: check out of bounds reads in src/gd_io_dp.c, check return code in src/gd_tiff.c
- CVE-2016-6911
* SECURITY UPDATE: denial of service and possible code execution via integer overflow in gdImageWebpCtx
- debian/patches/CVE-2015-7568.patch: check for overflow in src/gd_webp.c.
- CVE-2016-7568
* SECURITY UPDATE: stack buffer overflow in dynamicGetbuf
- debian/patches/CVE-2016-8670.patch: avoid potentially dangerous signed to unsigned conversion in src/gd_io_dp.c.
- CVE-2016-8670

libgdk-pixbuf2.0-0:amd64 has been upgraded from 2.30.7-0ubuntu1.2 to 2.30.7-0ubuntu1.6
libgdk-pixbuf2.0-common has been upgraded from 2.30.7-0ubuntu1.2 to 2.30.7-0ubuntu1.6

Minimal.

The Snare Server does not manipulate ico files, or use the gdk-pixbuf library for any functionality directly.

gdk-pixbuf (2.30.7-0ubuntu1.6) trusty-security; urgency=medium

* SECURITY UPDATE: Fix a write out-of-bounds error parsing a malicious ico
- debian/patches/CVE-2016-6352.patch: Be more careful when parsing ico headers. Based on upstream patch.
- Thanks to Franco Costantini for discovering this issue using QuickFuzz.
- CVE-2016-6352
* SECURITY UPDATE: Fix a heap-based buffer overflow
- debian/patches/CVE-2015-7552.patch: Protect against overflow. Based on upstream patches.
- CVE-2015-7552
* SECURITY UPDATE: Fix multiple integer overflows
- debian/patches/CVE-2015-8875.patch: use gint64 in more places to avoid overflow when shifting
- CVE-2015-8875

libmysqlclient18:amd64 has been upgraded from 5.5.52-0ubuntu0.14.04.1 to 5.5.53-0ubuntu0.14.04.1
mysql-common has been upgraded from 5.5.52-0ubuntu0.14.04.1 to 5.5.53-0ubuntu0.14.04.1

Nil.

The Snare Server does not use mysql libraries.

mysql-5.5 (5.5.53-0ubuntu0.14.04.1) trusty-security; urgency=medium

* SECURITY UPDATE: Update to 5.5.53 to fix security issues
- CVE-2016-5584
- CVE-2016-7440
* debian/mysql-server-5.5.postinst, debian/apparmor-profile: add var/lib/mysql-files directory for new secure-file-priv option default.

libnl-3-200:amd64 has been upgraded from 3.2.21-1ubuntu3 to 3.2.21-1ubuntu4
libnl-genl-3-200:amd64 has been upgraded from 3.2.21-1ubuntu3 to 3.2.21-1ubuntu4

Nil

libnl3 (3.2.21-1ubuntu4) trusty; urgency=high

[ Jorge Niedbalski ]
* d/p/lib-nl-Increase-receive-buffer-size-to-4-pages.patch: Increase receive buffer size to 4 pages by default. (LP: #1567578).

libpq5 has been upgraded from 9.3.14-0ubuntu0.14.04 to 9.3.15-0ubuntu0.14.04

Nil.

Snare does not use postgresql.

postgresql-9.3 (9.3.15-0ubuntu0.14.04) trusty-proposed; urgency=medium

* New upstream bug fix release (LP: #1637236)
- Fix WAL-logging of truncation of relation free space maps and visibility maps.
It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems
- Details about other changes:
http://www.postgresql.org/docs/9.3/static/release-9-3-15.html

libpython3.4-minimal:amd64 has been upgraded from 3.4.3-1ubuntu1~14.04.3 to 3.4.3-1ubuntu1~14.04.4
libpython3.4-stdlib:amd64 has been upgraded from 3.4.3-1ubuntu1~14.04.3 to 3.4.3-1ubuntu1~14.04.4
python3-update-manager has been upgraded from 1:0.196.21 to 1:0.196.22
python3.4 has been upgraded from 3.4.3-1ubuntu1~14.04.3 to 3.4.3-1ubuntu1~14.04.4
python3.4-minimal has been upgraded from 3.4.3-1ubuntu1~14.04.3 to 3.4.3-1ubuntu1~14.04.4

Minimal.

Snare does not use python directly.

python3.4 (3.4.3-1ubuntu1~14.04.4) trusty-proposed; urgency=medium

* SRU: LP: #1620754: Fix invalid code in pyhash/siphash24. Issue #28055.

libsmbclient:amd64 has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
libwbclient0:amd64 has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
python-samba has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba-common has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba-common-bin has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba-dsdb-modules has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba-libs:amd64 has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
samba-vfs-modules has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1
smbclient has been upgraded from 2:4.3.9+dfsg-0ubuntu0.14.04.3 to 2:4.3.11+dfsg-0ubuntu0.14.04.1

Minimal.

The Snare Server does not use samba in client mode.

samba (2:4.3.11+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

* SECURITY UPDATE: client-signing protection mechanism bypass
- Updated to upstream 4.3.11
- CVE-2016-2119
* Removed patches included in new version
- debian/patches/samba-bug11912.patch
- debian/patches/samba-bug11914.patch
* debian/patches/git_smbclient_cpu.patch:
- backport upstream patch to fix smbclient users hanging/eating cpu on trying to contact a machine which is not there.

libssl1.0.0:amd64 has been upgraded from 1.0.1f-1ubuntu2.19 to 1.0.1f-1ubuntu2.21
openssl has been upgraded from 1.0.1f-1ubuntu2.19 to 1.0.1f-1ubuntu2.21

Medium.

Users who can connect to the Snare Server via SSL, or to an enabled TLS listener on the Snare Server collector, could initiate a level of denial of service, using modified packet data.

openssl (1.0.1f-1ubuntu2.21) trusty-security; urgency=medium

* SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow check in crypto/bn/bn_print.c.

linux-generic has been upgraded from 3.13.0.95.103 to 3.13.0.101.109

linux-headers-3.13.0-95 has been upgraded from 3.13.0-95.142 to

linux-headers-3.13.0-95-generic has been upgraded from 3.13.0-95.142 to

linux-headers-generic has been upgraded from 3.13.0.95.103 to 3.13.0.101.109

linux-image-3.13.0-95-generic has been upgraded from 3.13.0-95.142 to

linux-image-extra-3.13.0-95-generic has been upgraded from 3.13.0-95.142 to

linux-image-generic has been upgraded from 3.13.0.95.103 to 3.13.0.101.109

linux-image-server has been upgraded from 3.13.0.95.103 to 3.13.0.101.109

linux-image-virtual has been upgraded from 3.13.0.95.103 to 3.13.0.101.109

Additional support for hardware devices.


ntpdate has been upgraded from 1:4.2.6.p5+dfsg-3ubuntu2.14.04.8 to 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10

Low-Medium.

ntpdate is used within the Snare Server to potentially synchronise local system time with a remote time source. In normal circumstances, the time source will be an internal, or trusted external entity. The ability to modify the time source configuration is restricted to administrative-level users on the Snare Server.

* SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
- debian/patches/CVE-2015-7973.patch: improve timestamp verification in include/ntp.h, ntpd/ntp_proto.c.
- CVE-2015-7973
* SECURITY UPDATE: impersonation between authenticated peers
- debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
- CVE-2015-7974
* SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in filenames
- debian/patches/CVE-2015-7976.patch: check filename in ntpd/ntp_control.c.
- CVE-2015-7976
* SECURITY UPDATE: restrict list denial of service
- debian/patches/CVE-2015-7977-7978.patch: improve restrict list processing in ntpd/ntp_request.c.
- CVE-2015-7977
- CVE-2015-7978
* SECURITY UPDATE: authenticated broadcast mode off-path denial of service
- debian/patches/CVE-2015-7979.patch: add more checks to ntpd/ntp_proto.c.
- CVE-2015-7979
- CVE-2016-1547
* SECURITY UPDATE: Zero Origin Timestamp Bypass
- debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
- CVE-2015-8138
* SECURITY UPDATE: potential infinite loop in ntpq
- debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c, ntpq/ntpq.c.
- CVE-2015-8158
* SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
- debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
- CVE-2016-0727
* SECURITY UPDATE: time spoofing via interleaved symmetric mode
- debian/patches/CVE-2016-1548.patch: check for bogus packets in ntpd/ntp_proto.c.
- CVE-2016-1548
* SECURITY UPDATE: buffer comparison timing attacks
- debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in libntp/a_md5encrypt.c, sntp/crypto.c.
- CVE-2016-1550
* SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
- debian/patches/CVE-2016-2516.patch: improve logic in ntpd/ntp_request.c.
- CVE-2016-2516
* SECURITY UPDATE: denial of service via crafted addpeer
- debian/patches/CVE-2016-2518.patch: check mode value in ntpd/ntp_request.c.
- CVE-2016-2518
* SECURITY UPDATE: denial of service via spoofed packets
- debian/patches/CVE-2016-4954.patch: discard packet that fails tests in ntpd/ntp_proto.c.
- CVE-2016-4954
* SECURITY UPDATE: denial of service via spoofed crypto-NAK or incorrect MAC
- debian/patches/CVE-2016-4955.patch: fix checks in ntpd/ntp_proto.c.
- CVE-2016-4955
* SECURITY UPDATE: denial of service via spoofed broadcast packet
- debian/patches/CVE-2016-4956.patch: properly handle switch in broadcast interleaved mode in ntpd/ntp_proto.c.
- CVE-2016-4956

shim-signed has been upgraded from 1.18~14.04.1+0.8-0ubuntu2 to 1.19~14.04.1+0.8-0ubuntu2

Nil

shim-signed (1.19~14.04.1) trusty; urgency=medium

* update-secureboot-policy:

sudo has been upgraded from 1.8.9p5-1ubuntu1.2 to 1.8.9p5-1ubuntu1.3

Nil

sudo (1.8.9p5-1ubuntu1.3) trusty-proposed; urgency=medium|
* debian/sudoers:
- include /snap/bin in the secure_path (LP: #1595558)

tzdata has been upgraded from 2016f-0ubuntu0.14.04 to 2016h-0ubuntu0.14.04

Nil

tzdata (2016h-0ubuntu0.14.04) trusty; urgency=critical

* New upstream release, with urgent DST changes for Asia/{Gaza,Hebron}.

update-manager-core has been upgraded from 1:0.196.21 to 1:0.196.22

Nil

Update manager and release upgrader.


vim-runtime has been upgraded from 2:7.4.052-1ubuntu3 to 2:7.4.052-1ubuntu3.1
vim has been upgraded from 2:7.4.052-1ubuntu3 to 2:7.4.052-1ubuntu3.1
vim-common has been upgraded from 2:7.4.052-1ubuntu3 to 2:7.4.052-1ubuntu3.1
vim-tiny has been upgraded from 2:7.4.052-1ubuntu3 to 2:7.4.052-1ubuntu3.1

Minimal.

Vim is only used in rare circumstances, by on-site support teams, and does not form a part of normal Snare Server operational requirements.

vim (2:7.4.052-1ubuntu3.1) trusty-security; urgency=medium

* SECURITY UPDATE: arbitrary shell execution via modelines
- debian/patches/upstream/CVE-2016-1248.patch: Only allow valid characters in 'filetype', 'syntax' and 'keymap'. Tests adapted back to vim 7.3 by James McCoy of Debian, thanks! Patch is also updated to add the tests to the set that are run during the build.
- CVE-2016-1248





Related content