[ MDVSA-2013:185 ] perl-Module-Signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:185 http://www.mandriva.com/en/support/security/ ___ Package : perl-Module-Signature Date: June 27, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated perl-Module-Signature package fixes CVE-2013-2145 Arbitrary code execution vulnerability in Module::Signature before 0.72 (CVE-2013-2145). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2145 http://advisories.mageia.org/MGASA-2013-0184.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 4b9813fca645a0d8a0b395969ee63763 mbs1/x86_64/perl-Module-Signature-0.730.0-1.mbs1.noarch.rpm 41874f6f701ecdab94f01ad3929a1117 mbs1/SRPMS/perl-Module-Signature-0.730.0-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRzD2WmqjQ0CJFipgRAuuIAKDIlQ8t0awrdbJoFEqfQ7gl+pv1fQCfS3n8 d/NsB7q0153xWeriO6XTfB8= =mW/4 -END PGP SIGNATURE-
Re: Re: EMC Avamar: World writable cache files
ESA-2013-003: EMC Avamar Client Elevation of Privilege Vulnerability EMC Identifier: ESA-2013-003 CVE Identifier: CVE-2012-2291 Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) Affected products: EMC Avamar HP-UX Client 4.x, 5.x and 6.x EMC Avamar Mac OS Client 4.x, 5.x and 6.x EMC Avamar Plugin for Oracle 4.x, 5.x and 6.x Note: Other Linux and Unix Avamar client systems could also be affected as a result of a support or locally-performed procedure that incorrectly sets the permission of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var). Summary: Due to a vulnerability, described in detail below, the Avamar client leaves certain directories and files as world writable. The presence of world writable directories and files may inadvertently result in elevation of privileges by a user who has access to the local file system. Details: The Avamar affected client process runs as root and after each backup it leaves the cache files as world readable and writable. While the cache files themselves do not contain sensitive information, when the parent directory is world-writable, the cache files could be used by an attacker to elevate the privileges when a system-level backup is performed. The non-root user can create symbolic links to obtain unauthorized access to files on the affected system. Note: This vulnerability information is currently public. EMC is not aware of any instance in which the vulnerability has been exploited maliciously. Resolution: The following EMC Avamar product contains a resolution to this issue: EMC Avamar Client Hotfix # 50184 (client version 6.1.101-89) The Avamar client software must be upgraded by applying client hotfix #50184 (client version 6.1.101-89). This hotfix first requires the Avamar Server to be upgraded to 6.1.0 or newer. If your Avamar Server is already at 6.1.0 or newer, then you can upgrade your client version to 6.1.101-89. See http://solutions.emc.com/emcsolutionview.asp?id=esg135935 for detailed instructions. If you do not wish to upgrade your client software at this time, Tthe following workaround steps must be performed to mitigate the risk. until the full fix is available from EMC. For HP-UX clients: The permissions of the /opt/AVMRclnt/var directory should be set to 0755. Log into the HP-UX client as the root user and type the following command: chmod 0755 /opt/AVMRclnt/var For Mac OS clients: The permissions of the /var/avamar directory should be set to 0755. Log into the Mac client as the root user and type the following command: chmod 0755 /var/avamar For Oracle clients: The following procedure only applies to clients where the directory permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) have been manually changed after installation of the Avamar plugin for Oracle: The permissions of the /usr/local/avamar/var should be set to 0775 with the group ownership set to the oracle group. Log into the Oracle client as the root user and type either of the following pairs of commands: On Linux and Unix Oracle clients other than Solaris and HP-UX: chmod 0775 /usr/local/avamar/var chgrp oracle /usr/local/avamar/var On Solaris and HP-UX Oracle clients: chmod 0775 /opt/AVMRclnt/var chgrp oracle /opt/AVMRclnt/var Other Avamar clients: Verify that the permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) on Linux and Unix clients are not modified as a result of a support or locally-performed procedure. The permissions should be set to 0755. If you have any questions or concerns about running the above commands please contact EMC Technical Support at http://www.emc.com/contact [The following is standard text included in all security advisories. Please do not change or delete.] Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and
eFile Wifi Transfer Manager 1.0 iOS - Multiple Vulnerabilities
Title: == eFile Wifi Transfer Manager 1.0 iOS - Multiple Vulnerabilities Date: = 2013-06-24 References: === http://www.vulnerability-lab.com/get_content.php?id=982 VL-ID: = 982 Common Vulnerability Scoring System: 6.8 Introduction: = eFile is the File Manager for ios device. You can use your device as a Wi-Fi flash disk. You can connect to iPhone from a Mac, Windows, or Linux computer (on the same Wi-Fi network). No special software required on your computer. You can transfer mp3 files via bluetooth, Wi-Fi or iTunes. Support most of the document formats. Folder Password Protected: Provide password protection for each folder Http Pasword Protected: Provide Password protection for Http file transfer. File Operations: New Folder, delete, move, copy, email, share with bluetooth or Wi-Fi, zip,unzip ... File sharing with other ios devices via Bluetooth or Wi-Fi File upload via your PC/Mac/Linux web browser or USB via iTunes. Provide download email attachments Provide download Safari browser attachments Save and Get images to and from Photos iWork (Pages, Numbers, Keynote) Microsoft Office (Word, Excel, PowerPoint) PDF, RTF, RTFD, TXT MP3, MP4, MOV, MPV, M4V JPG, PNG, GIF, BMP, TIF, TIFF, ICO ZIP,RAR TXT,C,CPP,H,M (Copy of the Homepage: https://itunes.apple.com/de/app/efile-lite-file-sharing-file/id606822182 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the eFile Wifi Manager v1.0 iOS mobile application. Report-Timeline: 2013-06-24: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A local file include and an arbitrary file upload web vulnerability via POST request method is detected in the eFile Wifi Manager v1.0 iOS mobile application for the apple ipad iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://localhost/x) when processing to request a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing of the affected module after the file include attack via upload. Remote attackers can exchange the filename with a tripple extension to bypass the filter and execute the files from the little webserver of the application. Exploitation of the vulnerability requires no user interaction and also without application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] eFile v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable Parameter(s): [+] filename [+] file extensions Affected Module(s): [+] eFile Index Listing 1.2 A persistent input validation vulnerability is detected in the eFile Wifi Manager v1.0 iOS mobile application for the apple ipad iphone. The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service. The vulnerability is located in the index file dir listing module of the webserver (http://localhost/foldername) when processing to display via POST request method injected manipulated `foldernames`. The persistent script code will be executed in the main index file dir listing module when the service is processing to list the new malicious injected foldername as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] eFile v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add or Edit Foldername Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] eFile Index Listing Proof of Concept: = 1.1 The arbitrary file upload vulnerability and restriction bypass can be exploited by remote attackers without privilege application user account and also without required user interaction. For demonstration or reproduce ... File Upload ... Host=localhost:8080 User-Agent=Mozilla/5.0 (Windows NT 6.1;
Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability
Title: == Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability Date: = 2013-06-27 References: === http://www.vulnerability-lab.com/get_content.php?id=989 VL-ID: = 989 Common Vulnerability Scoring System: 6.8 Introduction: = Mobile Drive is a Powerful tool that allows you to quickly store and view files. you can transfer files between PC/MAC and your device via WiFi, iTunes USB, FTP and iCloud. No more worries about losing important files again! File Manager - Global File Search - Folder and sub-folder support - Move, rename, copy, delete, zip files and folders - Extract ZiP files - Sorting by name, date, size File viewer - PDF Viewer (support bookmark, thumbnail, AirPrint) - Full-Featured Photo Viewer - Document viewer supports Word, Excel, PPT, PDF, iWork, html, txt, rtf, webarchive file formats - Video player support mp4, mov, 3gp, m4v formats - Open files in other apps File Transfer and Backup - Wirelessly transfer files via Wifi - FTP File Transfer support (easily download, upload, rename, and delete files and folders) - iTunes USB File Sharing support (the fastest and the easiest way) - Access and edit files with different devices via iCloud - Transfer files via Email - File Backup:Wifi, iTunes USB, FTP, Open-In, iCloud Password Protection Feature, three choices • 4-digit password • character password • gestures password (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/mobile-usb-drive-for-iphone/id622590148 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Mobile USB Drive HD v1.2 apple iOS application. Report-Timeline: 2013-06-27: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Mobile USB Drive HD 1.2 Exploitation-Technique: === Remote Severity: = High Details: A local file include and arbitrary file upload web vulnerability via POST method request is detected in the Mobile USB Drive HD v1.2 apple iOS application. The vulnerability allows remote attackers via POST method to upload files with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the upload file module of the web-server (http://localhost:8080/) when processing to request a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker/target is processing to reload to index listing of the affected module. Remote attackers can exchange the filename with a tripple extension to bypass the filter and can execute the files located on the little web-server of the application. Exploitation of the vulnerability requires no user interaction and also without application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Mobile USB Drive HD v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable Parameter(s): [+] filename [+] file extensions (multiple) Affected Module(s): [+] MUD HD Index Listing Proof of Concept: = The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privilege application user account. For demonstration or reproduce ... PoC: http://localhost:8080/files/webshell-js.php.png.txt.iso.php.gif Review: File Management.htm - Index table border=0 cellpadding=0 cellspacing=0 thead trthName/thth class=delDelete/th/tr /thead tbody id=filelist trtda href=http://localhost:8080/files/webshell-js.php.png.txt.iso.php.gif; class=filewebshell-js.php.png.txt.iso.php.gif/a/td --- Session Log --- 21:01:24.132[0ms][total 0ms] Status: pending[] GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown] Request Headers: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:8080/] 21:01:32.643[0ms][total 0ms] Status: pending[] GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown] Request Headers: Host[192.168.2.104:8080]
Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities
Title: == Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities Date: = 2013-06-25 References: === http://vulnerability-lab.com/get_content.php?id=778 BARRACUDA NETWORK SECURITY ID: BNSEC-811 VL-ID: = 778 Common Vulnerability Scoring System: 2.5 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple client side vulnerabilities in the Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-27: Researcher Notification Coordination (Benjamin Kunz Mejri) 2012-11-28: Vendor Notification (Barracuda Networks Security - Bug Bounty Program) 2012-12-01: Vendor Response/Feedback (Barracuda Networks Security - Bug Bounty Program) 2013-03-14: Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow] 2012-06-25: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple client side input validation vulnerabilities are detected in the Barracuda Networks CudaTel v2.6.002.040 appliance application. The non-persistent vulnerabilities allows an attacker (remote) to manipulate client side application to browser requests. The vulnerability (client side) is located in the siplist and list module when processing to request manipulated bbx_provider_gateway_name, bbx_provider_gateway_username or bbx_provider_gateway_host parameter listing. Exploitation of the vulnerability requires medium application user interaction. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking, client side external redirects to malware or evil websites and client side module context manipulation(cache). Vulnerable Module(s): [+] siplist - Listing [+] list - Listing Vulnerable Parameter(s): [+] bbx_provider_gateway_name [+] bbx_provider_gateway_username [+] bbx_provider_gateway_host Proof of Concept: = The client side input validation vulnerabilities can be exploited by remote attackers without required application user account and with medium or high required user interaction. For demonstration or reproduce ... Path: gui/gateway/siplist gui/gateway/list Parameter: undefined, bbx_provider, rows, page searchstring Values: bbx_provider_gateway_name, bbx_provider_gateway_username bbx_provider_gateway_host Review: List pre--- count: 1 list: - bbx_domain_id: 6 bbx_extension_block_begin: 2008 bbx_extension_block_end: 2008 bbx_extension_id: 26 bbx_extension_id_primary: 26 bbx_extension_rcd: 2012-11-26 15:58:45.413912 bbx_extension_rpd: 2012-11-26 15:58:45.413912 bbx_extension_value: 2008 bbx_queue_id: 12 flag_auto_provision: 0 flag_external: 0 flag_locked: 0 flag_primary: 1 flag_standalone: 1 flag_super: 0 flag_voicemail: 0#8203;#8203;#8203;#8203;#8203; show_name: \[PERSISTENT INJECTED SCRIPT CODE!] sort_name: \[PERSISTENT INJECTED SCRIPT CODE!]#8203;#8203;#8203;#8203;#8203; type: queue page: 1 rows: 25 /pre Review: SipList pre--- count: 4 page: 1 rows: 30 siplist: - bbx_provider_gateway_flag_inbound: 1 bbx_provider_gateway_flag_outbound: 1 bbx_provider_gateway_host: #8203;#8203;#8203;#8203;#8203;\/\/'\#8203;#8203;#8203;#8203;#8203;[PERSISTENT INJECTED SCRIPT CODE!] bbx_provider_gateway_id: 22 bbx_provider_gateway_name: \[PERSISTENT INJECTED SCRIPT CODE!] bbx_provider_gateway_port: 5060 bbx_provider_gateway_state: REFRESH bbx_provider_gateway_username: \/\/'\[PERSISTENT INJECTED SCRIPT CODE!] bbx_provider_name: Generic
Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability
Title: == Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability Date: = 2013-06-21 References: === http://vulnerability-lab.com/get_content.php?id=777 BARRACUDA NETWORK SECURITY ID: BNSEC-834 VL-ID: = 777 Common Vulnerability Scoring System: 3.5 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: = The Vulnerability Laboratory Research Team discovered a client side web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-26: Researcher Notification Coordination (Chokri Ben Achour) 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-04-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] 2012-06-00: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: The vulnerability laboratory research team discovered a persistent web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. The input validation vulnerability allows remote attackers to inject own malicious persistent script code on application side of the vulnerable module. The vulnerability is located in the `find me` module of the `call forwarding` function when processing to request manipulated parameters via `add listing`. Local low privilege application user accounts can inject persistent script code to exploit higher privilege web application accounts. The remote bug can be exploited by remote attacker with low privileged application user account and low required userinteraction. Successful exploitation of the vulnerabilities result in persistent session hijacking, persistent persistent external redirects to malware or malicious sites, persistent phishing and persistent web context manipulation (vulnerable module). Vulnerable Section(s): [+] Find Me Vulnerable Module(s): [+] Call Forwarding - Add Vulnerable Parameter(s): [+] Calling Sequence - Listing Proof of Concept: = Solution: = The vulnerability can be patched by parsing the listed (output) web context after processing to add. restrict also the input fields and disallow special chars or wrong strings. 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] Risk: = The security risk of the persistent input validation vulnerability is estimated as medium. Credits: Vulnerability Laboratory [Research Team] - Chokri Ben Achour (meis...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com -
[slackware-security] ruby (SSA:2013-178-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] ruby (SSA:2013-178-01) New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/ruby-1.9.3_p448-i486-1_slack14.0.txz: Upgraded. This update patches a vulnerability in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a valid certificate issued by a trusted certification authority. For more information, see: http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ruby-1.9.3_p448-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ruby-1.9.3_p448-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ruby-1.9.3_p448-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ruby-1.9.3_p448-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ruby-1.9.3_p448-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ruby-1.9.3_p448-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/ruby-1.9.3_p448-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/ruby-1.9.3_p448-x86_64-1.txz MD5 signatures: +-+ Slackware 13.1 package: ed7eaa7fdb9ee08dd69e444a6c2c23d8 ruby-1.9.3_p448-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 163e6c7d99abb43725d37c6ff16681ce ruby-1.9.3_p448-x86_64-1_slack13.1.txz Slackware 13.37 package: 3c23d63e4e8dcdd3465f63f38cb05663 ruby-1.9.3_p448-i486-1_slack13.37.txz Slackware x86_64 13.37 package: c7cb042a91dbe0882366b73bf2025ee0 ruby-1.9.3_p448-x86_64-1_slack13.37.txz Slackware 14.0 package: dfb8718508b9dca9ce1b56c2fd90d3fd ruby-1.9.3_p448-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7ec70f13351a8ccd31f8d61169a453d1 ruby-1.9.3_p448-x86_64-1_slack14.0.txz Slackware -current package: 06a4826e83382f0c722855bea37f766a d/ruby-1.9.3_p448-i486-1.txz Slackware x86_64 -current package: 13fe939b565e81fe4a57ddbdf8217286 d/ruby-1.9.3_p448-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg ruby-1.9.3_p448-i486-1_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHM4B0ACgkQakRjwEAQIjPQpQCeIfgOcQN9jwa4cvikWHQGtmW7 m0gAnj1+lLtcuuIyRuQa+NHI8PKj49x8 =tGaX -END PGP SIGNATURE-
Re: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability
On Fri, Jun 28, 2013 at 12:47:46AM +0100, Vulnerability Lab wrote: snip (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) What? Report-Timeline: 2012-11-26: Researcher Notification Coordination (Chokri Ben Achour) 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-04-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] 2012-06-00: Public Disclosure (Vulnerability Laboratory) What? Vulnerable Section(s): [+] Find Me Vulnerable Module(s): [+] Call Forwarding - Add Vulnerable Parameter(s): [+] Calling Sequence - Listing What? Do you hit some send advisory -button in your web page without checking the details? Why don't you just include PoC? --- Henri Salo signature.asc Description: Digital signature
[ MDVSA-2013:186 ] puppet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:186 http://www.mandriva.com/en/support/security/ ___ Package : puppet Date: June 28, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated puppet packages fix remote code execution vulnerability When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload (CVE-2013-3567). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567 http://advisories.mageia.org/MGASA-2013-0187.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 1532146f04c77b3a71e01bbbaa929d2c mbs1/x86_64/puppet-2.7.22-1.mbs1.noarch.rpm e6b6a20c32faea8808d83364b96236ae mbs1/x86_64/puppet-server-2.7.22-1.mbs1.noarch.rpm 713d5666406f8bdf86f0e7bd6bf54bfa mbs1/SRPMS/puppet-2.7.22-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRzVQFmqjQ0CJFipgRAmR6AJ0euIEDVy8e9FKN6zUjkZepG0SGuQCfTyUM uT8v/zkgEMTfhKoDVS4hLTg= =lnWK -END PGP SIGNATURE-
Re: EMC Avamar: World writable cache files
ESA-2013-003: EMC Avamar Client Elevation of Privilege Vulnerability EMC Identifier: ESA-2013-003 CVE Identifier: CVE-2012-2291 Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) Affected products: EMC Avamar HP-UX Client 4.x, 5.x and 6.x EMC Avamar Mac OS Client 4.x, 5.x and 6.x EMC Avamar Plugin for Oracle 4.x, 5.x and 6.x Note: Other Linux and Unix Avamar client systems could also be affected as a result of a support or locally-performed procedure that incorrectly sets the permission of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var). Summary: Due to a vulnerability, described in detail below, the Avamar client leaves certain directories and files as world writable. The presence of world writable directories and files may inadvertently result in elevation of privileges by a user who has access to the local file system. Details: The Avamar affected client process runs as root and after each backup it leaves the cache files as world readable and writable. While the cache files themselves do not contain sensitive information, when the parent directory is world-writable, the cache files could be used by an attacker to elevate the privileges when a system-level backup is performed. The non-root user can create symbolic links to obtain unauthorized access to files on the affected system. Note: This vulnerability information is currently public. EMC is not aware of any instance in which the vulnerability has been exploited maliciously. Resolution: The following EMC Avamar product contains a resolution to this issue: EMC Avamar Client Hotfix # 50184 (client version 6.1.101-89) The Avamar client software must be upgraded by applying client hotfix #50184 (client version 6.1.101-89). This hotfix first requires the Avamar Server to be upgraded to 6.1.0 or newer. If your Avamar Server is already at 6.1.0 or newer, then you can upgrade your client version to 6.1.101-89. See http://solutions.emc.com/emcsolutionview.asp?id=esg135935 for detailed instructions. If you do not wish to upgrade your client software at this time, Tthe following workaround steps must be performed to mitigate the risk. until the full fix is available from EMC. For HP-UX clients: The permissions of the /opt/AVMRclnt/var directory should be set to 0755. Log into the HP-UX client as the root user and type the following command: chmod 0755 /opt/AVMRclnt/var For Mac OS clients: The permissions of the /var/avamar directory should be set to 0755. Log into the Mac client as the root user and type the following command: chmod 0755 /var/avamar For Oracle clients: The following procedure only applies to clients where the directory permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) have been manually changed after installation of the Avamar plugin for Oracle: The permissions of the /usr/local/avamar/var should be set to 0775 with the group ownership set to the oracle group. Log into the Oracle client as the root user and type either of the following pairs of commands: On Linux and Unix Oracle clients other than Solaris and HP-UX: chmod 0775 /usr/local/avamar/var chgrp oracle /usr/local/avamar/var On Solaris and HP-UX Oracle clients: chmod 0775 /opt/AVMRclnt/var chgrp oracle /opt/AVMRclnt/var Other Avamar clients: Verify that the permissions of the Avamar var directory (/usr/local/avamar/var or /opt/AVMRclnt/var) on Linux and Unix clients are not modified as a result of a support or locally-performed procedure. The permissions should be set to 0755. If you have any questions or concerns about running the above commands please contact EMC Technical Support at http://www.emc.com/contact [The following is standard text included in all security advisories. Please do not change or delete.] Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and
