date:20150521

Webgrind XSS vulnerability

2015-05-21 Thread hyp3rlinx

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt

Vendor:
https://github.com/jokkedk/webgrind

Product:
Webgrind is a Xdebug Profiling Web Frontend in PHP.

Advisory Information:
=
Webgrind is vulnerable to cross site scripting attacks.

Exploit code:
==
http://localhost/webgrind/index.php?op=fileviewerfile=%3Cscript%3Ealert('XSS 
hyp3rlinx')%3C/script%3E

Disclosure Timeline:
==

Vendor Notification  May 19, 2015
May 20, 2015: Public Disclosure


Severity Level:
===
Med

Description:


Request Method(s):
[+] GET

Vulnerable Product:
[+] Webgrind 

Vulnerable Parameter(s):
[+] file=[XSS]

Affected Area(s):
[+] Current user.

==

(hyp3rlinx)

[SECURITY] [DSA 3266-1] fuse security update

2015-05-21 Thread Salvatore Bonaccorso

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3266-1   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
May 21, 2015   http://www.debian.org/security/faq
- -

Package: fuse
CVE ID : CVE-2015-3202

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your fuse packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJVXhUoAAoJEAVMuPMTQ89E1VIQAJ0atrAmdzG2yiJdVEF+15HP
8YvdZbArbyay4mgQBxZCe8+x9V07gs0M2an9j7MwgCaicWOS7z0cea9AUotOEfhc
eWd4cuaGhozZUk8qKTVphj88wJvbYX4W7ha8ld3JnrsBq1fImTcRL2c8JBzdx8aD
FWDosY4uCVfIF+89/IbHuOJQ2KsZrq8s8cTXf7wtm8+GC69ZDWPBO+3zPHnzpa8e
Y7nU/UC5rt2d20OQvQasszCkD41vncYhsw4OvOV6iA9CvGgoo5f9fsyOp3euEZwC
O18sKvFRSMH98SKgBHaKu9qyXRhy4RG7GBuLghLKDaBvQuTLoHCgLLCtEY1ZLybg
OSWH7De+fagxuTE+xrsoa5RY/uhrKbi80RTXUUfbVcecwr2ycfs3q2WbYGxdu1kE
hi06prNbDPWNO+EHGq+CcHoEAqOU2FY/klc3+VwvmpNzetautZK8Qx9ZhL52zLK4
aSSaLAQkcj1nig8aKvf3U0qu00ymSjr7Wl2ZenupK+fExDYs/MBvO8nxVAM21TSS
sVv43MgeTesKGMHRVTjtLDc9bRmXrC7wPE17QPfPdZ8enhEn6t3oQ6oKII9pfTvI
deo+WE7aVzDC8tyUmqbNSt1MlHUxIIfcaPCAUV0ILc1BoM8KyUqEIgBcHQiB+FEL
PiSzqmlVrFkfTYzhwgSV
=H1uy
-END PGP SIGNATURE-

CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)

2015-05-21 Thread Julian Reschke


Dear readers,

we just fixed a recently reported vulnerability in Apache Jackrabbit's 
WebDAV module; see


- the attached CVE report

- patches for all currently maintained Jackrabbit branches

We just released Jackrabbit 2.10.1 (see below) and we'll get to the 
other branches shortly. Check the CVE for details about what to do for 
earlier branches if you can't wait for a release.


Thanks to 0ang...@gmail.com for bringing this to our attention and 
giving valuable feedback while we investigated the problem.


Thanks and best regards, Julian

 Forwarded Message 
Subject: [ANNOUNCE] Apache Jackrabbit 2.10.1 released
Date: Thu, 21 May 2015 11:22:04 +0200
From: Marcel Reutegger mreut...@apache.org
Reply-To: us...@jackrabbit.apache.org
To: annou...@apache.org, annou...@jackrabbit.apache.org, Jackrabbit 
Developers d...@jackrabbit.apache.org, Jackrabbit Users 
us...@jackrabbit.apache.org, 0ang3el 0ang3el 0ang...@gmail.com, 
secur...@apache.org, oss-secur...@lists.openwall.com, 
bugtraq@securityfocus.com


The Apache Jackrabbit community is pleased to announce the release of
Apache Jackrabbit 2.10.1. This release fixes an important security issue in
the jackrabbit-webdav module reported by Mikhail Egorov.

The release is available for download at:

 http://jackrabbit.apache.org/downloads.html

See the full release notes below for details about this release.

Release Notes -- Apache Jackrabbit -- Version 2.10.1

Introduction


This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation 
of the

Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as
specified in the Java Specification Request 283 (JSR 283).

Apache Jackrabbit 2.10.1 is a patch release that contains fixes and
improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered
stable and targeted for production use.

Security advisory (JCR-3883 / CVE-2015-1833)


This release fixes an important security issue in the jackrabbit-webdav 
module

reported by Mikhail Egorov.

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as http(s) or  file. Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by 
inserting

said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

Users of the jackrabbit-webdav module are advised to immediately update the
module to this release or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to the JIRA issue.

Changes since Jackrabbit 2.10.0
---

Bug fixes

  [JCR-3853] JCR2SPI: Load ac provider resource
  [JCR-3871] POI Vulnerabilities
  [JCR-3872] Config DTD does not declare ProtectedItemImporter elements
  [JCR-3873] CachingDataStore not safe against crashes, corrupted
uploads file will prevent system startup
  [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped
  [JCR-3878] Fix test case failure in jackrabbit-data
  [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack

Improvements

  [JCR-3864] CachingDatastore -cache file sizes to save remote call to
remote datastore( S3DS)
  [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore
  [JCR-3869] CachingDataStore for SAN or NFS mounted storage
  [JCR-3879] Remove contention in AsyncUploadCache to improve performance
  [JCR-3881] Change CachingFDS configuration properties

New Features

  [JCR-3836] Allow to get an Authorizable of a given type

Sub-tasks

  [JCR-3837] Add AuthorizableTypeException in user security API package

In addition to the above-mentioned changes, this release contains
all the changes included up to the Apache Jackrabbit 2.10.0 release.

For more detailed information about all the changes in this and other
Jackrabbit releases, please see the Jackrabbit issue tracker at

https://issues.apache.org/jira/browse/JCR

Release Contents


This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.txt file for instructions on how to build this release.

The source archive is accompanied by SHA1 and MD5 checksums and a PGP
signature that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS.

About Apache Jackrabbit
---

Apache Jackrabbit is

CVE for Apple's ECDHE-ECDSA SecureTransport bug?

2015-05-21 Thread Jeffrey Walton

Does anyone know if Apple's ECDHE-ECDSA SecureTransport bug was
assigned a CVE? It affected OS X and iOS.

Effectively, the bug was an implementation error that cause
interoperability failures. To mostly counter it, the cipher suites had
to be disabled, which resulted in a loss of security. If the person
experiencing it did not know the cause, then they were left with a
Denial of Service (DoS).

To be clear, this was a different bug than CVE-2015-1130 (Goto Fail).

Also see SSL_OP_SAFARI_ECDHE_ECDSA_BUG on the OpenSSL wiki
(http://wiki.openssl.org/index.php/SSL_OP_SAFARI_ECDHE_ECDSA_BUG).

[SECURITY] [DSA 3261-2] libmodule-signature-perl regression update

2015-05-21 Thread Salvatore Bonaccorso

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3261-2   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
May 20, 2015   http://www.debian.org/security/faq
- -

Package: libmodule-signature-perl
Debian Bug : 785701

The update for libmodule-signature-perl issued as DSA-3261-1 introduced
a regression in the handling of the --skip option of cpansign. Updated
packages are now available to address this regression. For reference,
the original advisory text follows.

Multiple vulnerabilities were discovered in libmodule-signature-perl, a
Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-3406

John Lightsey discovered that Module::Signature could parses the
unsigned portion of the SIGNATURE file as the signed portion due to
incorrect handling of PGP signature boundaries.

CVE-2015-3407

John Lightsey discovered that Module::Signature incorrectly handles
files that are not listed in the SIGNATURE file. This includes some
files in the t/ directory that would execute when tests are run.

CVE-2015-3408

John Lightsey discovered that Module::Signature uses two argument
open() calls to read the files when generating checksums from the
signed manifest. This allows to embed arbitrary shell commands into
the SIGNATURE file that would execute during the signature
verification process.

CVE-2015-3409

John Lightsey discovered that Module::Signature incorrectly handles
module loading, allowing to load modules from relative paths in
@INC. A remote attacker providing a malicious module could use this
issue to execute arbitrary code during signature verification.

For the oldstable distribution (wheezy), this problem has been fixed in
version 0.68-1+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 0.73-1+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 0.79-1.

We recommend that you upgrade your libmodule-signature-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJVXO14AAoJEAVMuPMTQ89EAmIP/2BLQo6jaEL2pgzgMb9nPzbU
zWCjxU01ZMcmaTL4HE64kF2xC/pGr4g8nH0VLIQVqOnb0/P65PjmBiesgy9T9mR7
qMlLRS/wdrMAEz18+kneTfFYqB9lJ4EWP8SlxDvsN0ArVixNdsif5DGZTDH36DKy
f6dbbxIV3bMCgyuLtn4UDzScOjPNxivZOYmmrOnWl5DpHy+oahKbwsufSH7eykVG
ubcVTyYVIaA2BehjtTIuBWOGR/8baL/AX55Q+iTQ0sfvw4BT3A4lN+lqEJmF5IMs
pcwDou3+CVWAF2ADw/ftG7f4Ds8j8mMe/7sEzjvBnm9C7YrHC1dDo2w2VIIUleFs
KbdYMex6ldVy/eh5yAJc4tl0s6QWTonHQJiyMyC7pI6iaHeUPDCICA83iQlV8SyV
aR0vCi7mrkupDQqu9gG6Hs6YzeyY0kDxTE8qu7W4BklAF6NCWp75PkrW3ieMsIZg
nvlIFfFn1k+n4kR9G0elgPSl8yw/dzhyStQlBl1HauF4ibAspG9ppu7iss4CqHf+
VHz27nfl/ry23BcMXCPzMTfv4f9nCEA34YAB3tDBuMlDD56WAMDHRNCR6QkKwTs1
D4ffp/QubTx3Ijom0g2aF/5zWn9ez6z9j0BqWGExqgVqkRyC8veaiRxhF7+YwSge
VwA3wV8gWC3gkYYZ8M97
=wjQy
-END PGP SIGNATURE-

Webgrind XSS vulnerability

[SECURITY] [DSA 3266-1] fuse security update

CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)

CVE for Apple's ECDHE-ECDSA SecureTransport bug?

[SECURITY] [DSA 3261-2] libmodule-signature-perl regression update

5 matches

Site Navigation

Mail list logo

Footer information