CVE-2014-3575 (enterprise_linux_desktop, enterprise_linux_server, enterprise_linux_workstation, openoffice, openoffice.org)

CVE-2014-3575 (enterprise_linux_desktop, enterprise_linux_server, enterprise_linux_workstation, openoffice, openoffice.org)

The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.

Source: CVE-2014-3575 (enterprise_linux_desktop, enterprise_linux_server, enterprise_linux_workstation, openoffice, openoffice.org)

CVE-2014-3490 (jboss_enterprise_application_platform, resteasy)

CVE-2014-3490 (jboss_enterprise_application_platform, resteasy)

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

Source: CVE-2014-3490 (jboss_enterprise_application_platform, resteasy)

CVE-2014-3522 (opensuse, subversion, ubuntu_linux, xcode)

CVE-2014-3522 (opensuse, subversion, ubuntu_linux, xcode)

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Source: CVE-2014-3522 (opensuse, subversion, ubuntu_linux, xcode)

CVE-2014-3528 (enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_server_eus, enterprise_linux_workstation, opensuse, subversion, ubuntu_linux, xcode)

CVE-2014-3528 (enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_server_eus, enterprise_linux_workstation, opensuse, subversion, ubuntu_linux, xcode)

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.

Source: CVE-2014-3528 (enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_server_eus, enterprise_linux_workstation, opensuse, subversion, ubuntu_linux, xcode)

CVE-2014-4344 (debian_linux, enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_workstation, kerberos)

CVE-2014-4344 (debian_linux, enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_workstation, kerberos)

The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.

Source: CVE-2014-4344 (debian_linux, enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_workstation, kerberos)