Misc

**Name of the Vulnerable Software and Affected Versions** OpenShift haproxy cartridge (affected versions not specified) **Description** The issue concerns a predictable /tmp in the set-proxy connection hook of the OpenShift haproxy cartridge, which could facilitate a denial-of-service (DoS) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift (affected versions not specified) **Description** The issue is related to the improper creation of files in /tmp by the dump.sh script in the cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin directory of OpenShift. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Podman and Varlink version 1.5.1 **Description** A critical issue was found, affecting an unknown part of the component API. This leads to Remote Privilege Escalation and can be initiated remotely. The exploit has been disclosed publicly. **Recommendations** For Podman and Varlink version 1.5.1, update to a version that addresses the Remote Privilege Escalation issue. As a temporary workaround, consider restricting access to the affected API component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 42.0 Firefox ESR versions prior to 38.4 **Description** The issue is related to errors in the code when a Java plugin is enabled, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted Java applet that deallocates an in-use JavaScript wrapper. The Java plugin can deallocate a JavaScript wrapper when it is still in use, leading to a JavaScript garbage collection crash, which is potentially exploitable. **Recommendations** For Mozilla Firefox versions prior to 42.0, update to version 42.0 or later to resolve the issue. For Firefox ESR versions prior to 38.4, update to version 38.4 or later to resolve the issue. As a temporary workaround, consider disabling the Java plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ansible versions prior to 1.2.3 **Description** The issue allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. This occurs when using ControlPersist in the `runner/connection plugins/ssh.py` module. **Recommendations** For versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of `ControlPersist` until a patch is available. Restrict access to the `/tmp/` directory to minimize the risk of exploitation. Avoid using predictable names for socket files in the `/tmp/` directory until the issue is resolved.