Webgrind XSS vulnerability
Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt Vendor: https://github.com/jokkedk/webgrind Product: Webgrind is a Xdebug Profiling Web Frontend in PHP. Advisory Information: = Webgrind is vulnerable to cross site scripting attacks. Exploit code: == http://localhost/webgrind/index.php?op=fileviewerfile=%3Cscript%3Ealert('XSS hyp3rlinx')%3C/script%3E Disclosure Timeline: == Vendor Notification May 19, 2015 May 20, 2015: Public Disclosure Severity Level: === Med Description: Request Method(s): [+] GET Vulnerable Product: [+] Webgrind Vulnerable Parameter(s): [+] file=[XSS] Affected Area(s): [+] Current user. == (hyp3rlinx)
[SECURITY] [DSA 3266-1] fuse security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3266-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 21, 2015 http://www.debian.org/security/faq - - Package: fuse CVE ID : CVE-2015-3202 Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not scrub the environment before executing mount or umount with elevated privileges. A local user can take advantage of this flaw to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe for unprivileged users. For the oldstable distribution (wheezy), this problem has been fixed in version 2.9.0-2+deb7u2. For the stable distribution (jessie), this problem has been fixed in version 2.9.3-15+deb8u1. For the testing distribution (stretch) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your fuse packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVXhUoAAoJEAVMuPMTQ89E1VIQAJ0atrAmdzG2yiJdVEF+15HP 8YvdZbArbyay4mgQBxZCe8+x9V07gs0M2an9j7MwgCaicWOS7z0cea9AUotOEfhc eWd4cuaGhozZUk8qKTVphj88wJvbYX4W7ha8ld3JnrsBq1fImTcRL2c8JBzdx8aD FWDosY4uCVfIF+89/IbHuOJQ2KsZrq8s8cTXf7wtm8+GC69ZDWPBO+3zPHnzpa8e Y7nU/UC5rt2d20OQvQasszCkD41vncYhsw4OvOV6iA9CvGgoo5f9fsyOp3euEZwC O18sKvFRSMH98SKgBHaKu9qyXRhy4RG7GBuLghLKDaBvQuTLoHCgLLCtEY1ZLybg OSWH7De+fagxuTE+xrsoa5RY/uhrKbi80RTXUUfbVcecwr2ycfs3q2WbYGxdu1kE hi06prNbDPWNO+EHGq+CcHoEAqOU2FY/klc3+VwvmpNzetautZK8Qx9ZhL52zLK4 aSSaLAQkcj1nig8aKvf3U0qu00ymSjr7Wl2ZenupK+fExDYs/MBvO8nxVAM21TSS sVv43MgeTesKGMHRVTjtLDc9bRmXrC7wPE17QPfPdZ8enhEn6t3oQ6oKII9pfTvI deo+WE7aVzDC8tyUmqbNSt1MlHUxIIfcaPCAUV0ILc1BoM8KyUqEIgBcHQiB+FEL PiSzqmlVrFkfTYzhwgSV =H1uy -END PGP SIGNATURE-
CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)
Dear readers, we just fixed a recently reported vulnerability in Apache Jackrabbit's WebDAV module; see - the attached CVE report - patches for all currently maintained Jackrabbit branches We just released Jackrabbit 2.10.1 (see below) and we'll get to the other branches shortly. Check the CVE for details about what to do for earlier branches if you can't wait for a release. Thanks to 0ang...@gmail.com for bringing this to our attention and giving valuable feedback while we investigated the problem. Thanks and best regards, Julian Forwarded Message Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released Date: Thu, 21 May 2015 11:22:04 +0200 From: Marcel Reutegger mreut...@apache.org Reply-To: us...@jackrabbit.apache.org To: annou...@apache.org, annou...@jackrabbit.apache.org, Jackrabbit Developers d...@jackrabbit.apache.org, Jackrabbit Users us...@jackrabbit.apache.org, 0ang3el 0ang3el 0ang...@gmail.com, secur...@apache.org, oss-secur...@lists.openwall.com, bugtraq@securityfocus.com The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit 2.10.1. This release fixes an important security issue in the jackrabbit-webdav module reported by Mikhail Egorov. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release. Release Notes -- Apache Jackrabbit -- Version 2.10.1 Introduction This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283). Apache Jackrabbit 2.10.1 is a patch release that contains fixes and improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered stable and targeted for production use. Security advisory (JCR-3883 / CVE-2015-1833) This release fixes an important security issue in the jackrabbit-webdav module reported by Mikhail Egorov. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as http(s) or file. Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others (for instance, by inserting said content in a WebDAV property value using a PROPPATCH request). See also IETF RFC 4918, Section 20.6. Users of the jackrabbit-webdav module are advised to immediately update the module to this release or disable WebDAV access to the repository. Users on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should apply the fix to the corresponding 2.x branch or disable WebDAV access until official releases of those earlier versions are available. Patches for 2.x branches are attached to the JIRA issue. Changes since Jackrabbit 2.10.0 --- Bug fixes [JCR-3853] JCR2SPI: Load ac provider resource [JCR-3871] POI Vulnerabilities [JCR-3872] Config DTD does not declare ProtectedItemImporter elements [JCR-3873] CachingDataStore not safe against crashes, corrupted uploads file will prevent system startup [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped [JCR-3878] Fix test case failure in jackrabbit-data [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack Improvements [JCR-3864] CachingDatastore -cache file sizes to save remote call to remote datastore( S3DS) [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore [JCR-3869] CachingDataStore for SAN or NFS mounted storage [JCR-3879] Remove contention in AsyncUploadCache to improve performance [JCR-3881] Change CachingFDS configuration properties New Features [JCR-3836] Allow to get an Authorizable of a given type Sub-tasks [JCR-3837] Add AuthorizableTypeException in user security API package In addition to the above-mentioned changes, this release contains all the changes included up to the Apache Jackrabbit 2.10.0 release. For more detailed information about all the changes in this and other Jackrabbit releases, please see the Jackrabbit issue tracker at https://issues.apache.org/jira/browse/JCR Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.txt file for instructions on how to build this release. The source archive is accompanied by SHA1 and MD5 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS. About Apache Jackrabbit --- Apache Jackrabbit is
CVE for Apple's ECDHE-ECDSA SecureTransport bug?
Does anyone know if Apple's ECDHE-ECDSA SecureTransport bug was assigned a CVE? It affected OS X and iOS. Effectively, the bug was an implementation error that cause interoperability failures. To mostly counter it, the cipher suites had to be disabled, which resulted in a loss of security. If the person experiencing it did not know the cause, then they were left with a Denial of Service (DoS). To be clear, this was a different bug than CVE-2015-1130 (Goto Fail). Also see SSL_OP_SAFARI_ECDHE_ECDSA_BUG on the OpenSSL wiki (http://wiki.openssl.org/index.php/SSL_OP_SAFARI_ECDHE_ECDSA_BUG).
[SECURITY] [DSA 3261-2] libmodule-signature-perl regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3261-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 20, 2015 http://www.debian.org/security/faq - - Package: libmodule-signature-perl Debian Bug : 785701 The update for libmodule-signature-perl issued as DSA-3261-1 introduced a regression in the handling of the --skip option of cpansign. Updated packages are now available to address this regression. For reference, the original advisory text follows. Multiple vulnerabilities were discovered in libmodule-signature-perl, a Perl module to manipulate CPAN SIGNATURE files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-3406 John Lightsey discovered that Module::Signature could parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407 John Lightsey discovered that Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408 John Lightsey discovered that Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest. This allows to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. CVE-2015-3409 John Lightsey discovered that Module::Signature incorrectly handles module loading, allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. For the oldstable distribution (wheezy), this problem has been fixed in version 0.68-1+deb7u3. For the stable distribution (jessie), this problem has been fixed in version 0.73-1+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 0.79-1. We recommend that you upgrade your libmodule-signature-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVXO14AAoJEAVMuPMTQ89EAmIP/2BLQo6jaEL2pgzgMb9nPzbU zWCjxU01ZMcmaTL4HE64kF2xC/pGr4g8nH0VLIQVqOnb0/P65PjmBiesgy9T9mR7 qMlLRS/wdrMAEz18+kneTfFYqB9lJ4EWP8SlxDvsN0ArVixNdsif5DGZTDH36DKy f6dbbxIV3bMCgyuLtn4UDzScOjPNxivZOYmmrOnWl5DpHy+oahKbwsufSH7eykVG ubcVTyYVIaA2BehjtTIuBWOGR/8baL/AX55Q+iTQ0sfvw4BT3A4lN+lqEJmF5IMs pcwDou3+CVWAF2ADw/ftG7f4Ds8j8mMe/7sEzjvBnm9C7YrHC1dDo2w2VIIUleFs KbdYMex6ldVy/eh5yAJc4tl0s6QWTonHQJiyMyC7pI6iaHeUPDCICA83iQlV8SyV aR0vCi7mrkupDQqu9gG6Hs6YzeyY0kDxTE8qu7W4BklAF6NCWp75PkrW3ieMsIZg nvlIFfFn1k+n4kR9G0elgPSl8yw/dzhyStQlBl1HauF4ibAspG9ppu7iss4CqHf+ VHz27nfl/ry23BcMXCPzMTfv4f9nCEA34YAB3tDBuMlDD56WAMDHRNCR6QkKwTs1 D4ffp/QubTx3Ijom0g2aF/5zWn9ez6z9j0BqWGExqgVqkRyC8veaiRxhF7+YwSge VwA3wV8gWC3gkYYZ8M97 =wjQy -END PGP SIGNATURE-