Quick CMS v 6.1 XSS Vulnerability

[Rahul Pratap Singh]

## FULL DISCLOSURE

#Product: Quick CMS
#Exploit Author  : Rahul Pratap Singh
#Version: 6.1
#Home page Link  : http://opensolution.org/home.html
#Website: 0x62626262.wordpress.com
#Linkedin   : https://in.linkedin.com/in/rahulpratapsingh94
#Date   : 19/Jan/2016

XSS Vulnerability:


Description:

 "sLangEdit" and "sSort" parameters are not sanitized that leads to
Reflected XSS.


Vulnerable Code:

File Name: languages.php

Found at line:23


File Name: pages.php

Found at line:49



Exploit:

localhost/Quick.Cms_v6.1-en/admin.php?p=languages=alert("XSS")

[CORE-2016-0001] - Intel Driver Update Utility MiTM

[CORE Advisories Team]

1. Advisory Information

Title: Intel Driver Update Utility MiTM
Advisory ID: CORE-2016-0001
Advisory URL: 
http://www.coresecurity.com/advisories/intel-driver-update-utility-mitm
Date published: 2016-01-19
Date of last update: 2016-01-14
Vendors contacted: Intel
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319]
Impact: Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-1493



3. Vulnerability Description

The Intel Driver Update Utility [1] is a tool that analyzes the system drivers 
on your computer. The utility reports if any new drivers are available, and 
provides the download files for the driver updates so you can install them 
quickly and easily.

Intel [2] Driver Update Utility is prone to a Men in The Middle attack which 
could result in integrity corruption of the transferred data, information leak 
and consequently code execution.

4. Vulnerable Packages

Intel Driver Update Utility 2.2.0.5
Other products and versions might be affected too, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Intel released a new version of Intel Driver Update Utility [3] that solves the 
issue.

6. Credits

This vulnerability was discovered and researched by a member from Core Security 
Research Team. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from Core Security Advisories Team.



7. Technical Description / Proof of Concept Code

7.1. Clear text Transmission of Update Information

[CVE-2016-1493] Once the application starts searching for driver updates many 
HTTP requests like the one below can be seen:

 
GET 
http://storefront.download.protexis.net/IDDAPI/Prod/productfamily/desktopboard/driver/getbyhardwaresignature/ven_8086_010a/a08/190.xml
 HTTP/1.1
Host: storefront.download.protexis.net
   
The URL path of the HTTP requests is easy to understand, the hardware ID is 
part of the path. This ID can be found on the device manager. In the XML file 
that is received from the server, there's a tag 'File_Url' that has the URL of 
the file that is going to be downloaded and executed by the application.

 

http://www.w3.org/2001/XMLSchema-instance; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema; 
xmlns="http://tempuri.org/GetDrivers.xsd;>
  
24696
Graphics
Active
2015-02-04
15.28.23.64.4101
win64_152823.zip

http://downloadmirror.intel.com/24696/a08/win64_152823.zip
VEN_8086DEV_010A
true

  
en
Intel® HD Graphics Driver for Windows* 7/8/8.1 
64-bit
Installs the Intel® HD Graphics Driver for Windows* 
7/8/8.1 64-bit version 15.28.23.64.4101 (9.17.10.4101)
  

SOFTWARE\Intel\GFX
SOFTWARE\Intel\GFX
deferred
-s -overwrite
  

   
Once the application ends the search process, it shows the user the available 
drivers updates. After downloading the drivers the user clicks on the 'Install' 
button and the binaries are executed. The only verification founded was on the 
VerifyDownloadURL method of the DriverManager class. This is doing a domain 
verification, that can be easily bypassed if the attacker is performing an ARP 
poisoning attack combined with DNS spoofing.



8. Report Timeline

2015-11-12: Core Security sent an initial notification to Intel.
2015-11-26: Core Security sent another notification to Intel asking for a reply.
2015-12-14: Core Security sent a notification to Intel's Product Manager of 
their Update Utility.
2015-12-14: Intel requested Core Security for a draft copy of the advisory.
2015-12-15: Core Security asked Intel if they wanted to keep an encrypted 
communication or not.
2015-12-16: Intel requested Core Security to send the draft copy of the 
advisory in plain text.
2015-12-16: Core Security sent Intel a draft version of the advisory and 
requested a tentative date for releasing an update/fix.
2015-12-16: Intel informed Core Security that they were evaluating the report 
and that they would respond by the end of the week.
2015-12-18: Intel informed Core Security that they were testing a new version 
of the utility that should mitigate the vulnerability and that it would be 
available in mid-January.
2016-01-04: Core Security requested Intel the date and time they were going to 
publish the new version of the product.
2016-01-05: Intel informed Core Security that they were working towards a 
release on January 15.
2016-01-08: Core Security requested Intel if they were willing to consider to 
change the publication date from Friday 15 to Monday 18 of January in order to 
avoid the proximity to the weekend.
2016-01-08: Intel informed Core Security that they agreed on publishing on 
Monday 18 of January.
2016-01-08: Intel informed Core Security that they forgot that January 18 was a 
holiday in the United States, so they would be aiming to release it on Tuesday, 
January 19.
2016-01-11: Core Security informed Intel that we 

[SECURITY] [DSA 3448-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3448-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 19, 2016  https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723
 CVE-2016-0728

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial-of-service.

CVE-2013-4312

Tetsuo Handa discovered that it is possible for a process to open
far more files than the process' limit leading to denial-of-service
conditions.

CVE-2015-7566

Ralf Spenneberg of OpenSource Security reported that the visor
driver crashes when a specially crafted USB device without bulk-out
endpoint is detected.

CVE-2015-8767

An SCTP denial-of-service was discovered which can be triggered by a
local attacker during a heartbeat timeout event after the 4-way
handshake.

CVE-2016-0723

A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
A local attacker could use this flaw for denial-of-service.

CVE-2016-0728

The Perception Point research team discovered a use-after-free
vulnerability in the keyring facility, possibly leading to local
privilege escalation.

For the stable distribution (jessie), these problems have been fixed in
version 3.16.7-ckt20-1+deb8u3.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+
zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi
Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV
FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr
yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL
Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1
Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N
XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64
IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea
SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly
Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV
qaetOmH+fJB1/jo9jPLH
=fylF
-END PGP SIGNATURE-

Quick Cart v6.6 XSS Vulnerability

[Rahul Pratap Singh]

## FULL DISCLOSURE

#Product: Quick Cart
#Exploit Author  : Rahul Pratap Singh
#Version: 6.6
#Home page Link  : http://opensolution.org/home.html
#Website: 0x62626262.wordpress.com
#Linkedin   : https://in.linkedin.com/in/rahulpratapsingh94
#Date   : 19/Jan/2016

XSS Vulnerability:


Description:

 "sSort" parameter is not sanitized that leads to Reflected XSS.


Vulnerable Code:

File Name: products.php

Found at line:26
'; ?>


Exploit:

localhost/Quick.Cart_v6.6/admin.php?p=pages-list="%20onclick="alert(1)=


POC:

https://0x62626262.files.wordpress.com/2016/01/quick-cartv6-6xsspoc.png


Disclosure Timeline:
Tried to contact vendor via email : 14/1/2016 ( email bounce back)
Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response)
Public Disclosure: 19/1/2016

Pub ref:
https://0x62626262.wordpress.com/2016/01/19/quick-cart-v-6-6-xss-vulnerability


0x9ACF7D5F.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Executable installers are vulnerable^WEVIL (case 21): Panda Security's installers allow arbitrary (remote) code execution AND escalation of privilege with PANDAIS16.exe

[Stefan Kanthak]

Hi @ll,

the executable installers PANDAIS16.exe, PANDAAP16.exe,
PANDAGL16.exe and PANDAGP16.exe available from
 load and execute (at least) UXTheme.dll,
RichEd20.dll and RichEd32.dll from their "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,

and 


If an attacker places the above named DLLs in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.

Due to the application manifest embedded in the executables which
specifies "requireAdministrator" the executable installer is run
with administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted for
an administrator password); execution of the DLLs therefore results
in an escalation of privilege!


Proof of concept/demonstration:
~~~

1. visit , download
   , save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   RichEd20.dll and RichEd32.dll;

2. download PANDA{IS,AP,GL,GP}16.exe and save it in your "Downloads"
   directory;

3. run PANDA{IS,AP,GL,GP}16.exe per double-click from your "Downloads"
   directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

PWNED!


See  and
 as well as
 and
 for details about
this well-known and well-documented BEGINNER'S error!


regards
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from this crapware!


Timeline:
~

2015-12-29sent report to vendor

  NP ANSWER, not even an acknowledgement of receipt

2016-01-10resent report to vendor

  NO ANSWER, not even an acknowledgement of receipt

2016-01-19report published

APPLE-SA-2016-01-19-1 iOS 9.2.1

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2016-01-19-1 iOS 9.2.1

iOS 9.2.1 is now available and addresses the following:

Disk Images
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team

IOHIDFamily
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1719 : Ian Beer of Google Project Zero

IOKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1720 : Ian Beer of Google Project Zero

Kernel
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend
Micro

libxslt
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A type confusion issue existed in libxslt. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-7995 : puzzor

syslog
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute arbitrary code with root
privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs

WebKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1723 : Apple
CVE-2016-1724 : Apple
CVE-2016-1725 : Apple
CVE-2016-1726 : Apple
CVE-2016-1727 : Apple

WebKit CSS
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Websites may know if the user has visited a given link
Description:  A privacy issue existed in the handling of the
"a:visited button" CSS selector when evaluating the containing
element's height. This was addressed through improved validation.
CVE-ID
CVE-2016-1728 : an anonymous researcher coordinated via Joe Vennix

WebSheet
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious captive portal may be able to access the user's
cookies
Description:  An issue existed that allowed some captive portals to
read or write cookies. The issue was addressed through an isolated
cookie store for all captive portals.
CVE-ID
CVE-2016-1730 : Adi Sharabani and Yair Amit of Skycure

-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnsHaAAoJEBcWfLTuOo7t1zwP/0RspCkyT0BHSQQO8VdMW/fc
Y75BJakw9EAPtzl7JuXh2uyEW0Qj7zmCAxtHj40+ahzeL/Iop4t+2bNmxG0PKKJr
xw4lfXqBPCyAFAWVnJnc7F+khS0mzOMYeSeTb809BhVZCGuPj8KaG0lO6i3Bpuv9
PegrCpntVconvMVnisv1DY5XCo+ieMnQfq3CwgjeLGJVayKwCLReEGEAy5fR/wcc
U8UPi8ya8qHEM2R4HiqKvLWifvuhduKDRef8ONVKInndtUw3uMxLADb3ly0FNfK2
ZE8e/h6x6SchWKvPIlz3LkmH11PxVzOFcDSPyF8588kqIUeejJbCVmH2NTOKNWSc
L86t9ZcJKOQeSA+vo9xuA4wL9oAqg0vTsU3imNI/eg5uo04UXnVmezFTdbnZTJUq
0muC+6spRRUEMV1c4vUSDNYQUWnplpm5tvOS1W9m/BYTeEBxrtHlNf1esnWst7LF
bP2Dm2o4eUiMeGm0oS0aCvLOAkbZxIWGBoskJQo5QItGbrGXvolAOzy8ZG4VtcMc
C57ndIvb6Aji0ZHoIoE9cQU/HAi3oA8NpAOmWnHR7TmgTLb0aKZkGbsePlpklZjO
wmxK8O47hnsplGQ/MvQoq2du1yhijKHZ36o7nl+ZLll5EE9yXgoQTJ3C3SQ0uWYq
It3pbAGWOfPf7kH++Tqf
=8vfa
-END PGP SIGNATURE-

[SECURITY] [DSA 3449-1] bind9 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3449-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 19, 2016  https://www.debian.org/security/faq
- -

Package: bind9
CVE ID : CVE-2015-8704

It was discovered that specific APL RR data could trigger an INSIST
failure in apl_42.c and cause the BIND DNS server to exit, leading to a
denial-of-service.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u9.

For the stable distribution (jessie), this problem has been fixed in
version 1:9.9.5.dfsg-9+deb8u5.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJWnp/jAAoJEAVMuPMTQ89E180QAIeJ/iEoF9HCtcUrkC0eBL/e
/YXFKTW11jMzCGK6Q31jglKfs7DZzA67TxCi2fstwQqwlGON/mB/Nowc1ihF1aso
k24emGiBLRHQxBvptKN6wMZYpqUMnNpVybhD6/CRsscH+5PsD5ZQ9yQcn+it4bx1
lkasndFxygkp7t2nZvgOD49oQHy/n82IVNiHumbiOag5PIEDYrTvMMfHBy/1TxNX
Y6njcPdOV8/5zfvVMBo93i3lF32UzO2Bffm1uF4ye+Nm7BVZ3Q7hDf65U14sHQMR
RF2jy+vsAHtBeyOLezrEZoPRZnj+C6aV+xfiTdxNUUpeoZ5sbbmgXJ0kUzgn7UoL
q1nqf0ZrhZ2Ztj/mPBUSNCagjuM/8L1qe4AN4VF1+oAWtmODZiEk0jUDXpGNHARf
p1wLHk0wlsAvj2rLlP2JnAup3J8XLdDSPCgQcyOrWWXK9lW5jWRATqxJw2EfSKrg
asNjLKxZv6XlNPdw+AiA+91yX2MbktnFIZiK4f8vlFieSFNDmdKGT2ZDGkUvywLi
pIsje6AcHAwL9dJ/eNzCraFRpnnEHB6WGsVuEvUsMh6udk+d3gyiFrAnlm1e7ojI
b9rfBBNIMWmQ9EbHqBtBi7VDkNXQZB8KKPvzJdryqt2VZBxqTWL/tL6hmK+ChDIY
yOfHZrumRzImPkp9GvF9
=0lEC
-END PGP SIGNATURE-

APPLE-SA-2016-01-19-3 Safari 9.0.3

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2016-01-19-3 Safari 9.0.3

Safari 9.0.3 is now available and addresses the following:

WebKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 to v10.11.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1723 : Apple
CVE-2016-1724 : Apple
CVE-2016-1725 : Apple
CVE-2016-1726 : Apple
CVE-2016-1727 : Apple

WebKit CSS
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 to v10.11.2
Impact:  Websites may know if the user has visited a given link
Description:  A privacy issue existed in the handling of the
"a:visited button" CSS selector when evaluating the containing
element's height. This was addressed through improved validation.
CVE-ID
CVE-2016-1728 : an anonymous researcher coordinated via Joe Vennix

-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnsHWAAoJEBcWfLTuOo7t/U8P/A8wprr7O/AsfTzeeRZC03df
eASftaBsa9VLFOwpWKCWeLQo17yx7EG8B25nf1RbKbIuCh9qArKhPzMjuQchrFrW
5VcE5nbbRsWHK40cBqTGhyMCdfoK4c3ca+pRs1qXeJtz3fDcW/22ws5a7tBDkYsM
Drt5yUaxqctKIERPerUbvAhe215D5aEs9P8uMPxL8TwUPmcm75RYDeeOZC0PmtiP
Oc+H4K8IcgHOiy7/EMOyRy+6UJ9yXPD1oNBRAPdTzFHGrI97wkqeH2R6Z3c1Ql3L
1Nm27xdYNPcvwxjBDNq+uQh6B/0yu95oDdPjw0wXkUhcQfipp8VpnS/xlpoVJksp
rg2Oh/AoSNbefmG+NxujAf3stB8X+df+D0nmdi4LL0N4jqipGvkR7AecV6XhGgVq
xOkinIE3HFn70PldHnbm4NZADVyU5xzLZ7WUWzQj+OtgypDDyPr2zQ4h9laXp5KR
vU0T+5DId/YUivr9wMmKW9etIRTL0rJcQD70xJqihsm0OCh2yEOa5WZdd16Cc6R/
TXkFYVHCTHHiyFzpac5Y1f77ZA3OBifXs3SPJjIjVi8LVIfxSge9OTv6P3ZdYF52
3ozFvNVjEYzgAau9FhZAeUuxX6d5YE014+SOZml5a7/gQNDMvy4q3sER5yt6GHd/
1ALPYBGmNCuPx+y4PuZr
=ZvEB
-END PGP SIGNATURE-

[security bulletin] HPSBGN03534 rev.1 - HPE Performance Center using Microsoft Report Viewer, Remote Disclosure of Information, Cross-Site Scripting (XSS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04945270

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04945270
Version: 1

HPSBGN03534 rev.1 - HPE Performance Center using Microsoft Report Viewer,
Remote Disclosure of Information, Cross-Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-01-19
Last Updated: 2016-01-19

Potential Security Impact: Remote Disclosure of Information, Cross-Site
Scripting (XSS)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A vulnerability in Microsoft Report Viewer was addressed by HPE Performance
Center. This is a Cross-Site scripting (XSS) vulnerability that could allow
remote information disclosure.

Note : For more details, please see the corresponding Microsoft Security
Bulletin at https://technet.microsoft.com/library/security/ms11-067

References:

  - MS11-067 Microsoft Security Bulletin
  - CVE-2011-1976
  - PSRT102982

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Performance Center 11.52, 12.00, 12.01, 12.20, 12.50

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-1976(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following mitigation information available to resolve the
vulnerability in Performance Center.

  - https://softwaresupport.hp.com/group/softwaresupport/search-result/-/face
tsearch/document/KM02031101

  - HPE recommends updating the control even if it is not listed in affected
versions in the MS11-067 bulletin

HISTORY
Version:1 (rev.1) - 19 January 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWnnuYAAoJEGIGBBYqRO9/4M4IAJ5E7sT9NTfV4HEggpJ1S8hS
DJu7nwlIo/9sPZVxLyDtgWip7r0SH6ex3ElnYG8ICS00KzS/JuL8R6stwuVEMwhm
yNVN+gD5oB/Vd/ECMhWhq58dhmLWV1tYVuxYopkJHPsVPNTV8vE8mnLB97XqGMph
+uoCWIZudGTfPSTcZL+vM572Fjc6n1aghUGoqALUsVkPX8jytnOfBNAKts9ZNctj
A8PaBcH2Atoc1UfuEXE758auRMsbRLGhWwSRzZ4IvAydDdBg0K16ywC2mGISGKN9
tRyWyDp0zgxQTnxTi+Lay/J9n/9F2a1bhJwhxYgbMa4wvdKAvcqGwlQlcs3Cvpo=
=rheF
-END PGP SIGNATURE-

APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update 2016-001

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update 
2016-001

OS X El Capitan 10.11.3 and Security Update 2016-001 is now available
and addresses the following:

AppleGraphicsPowerManagement
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1716 : moony li of Trend Micro and Liang Chen and Sen Nie of
KeenLab, Tencent

Disk Images
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team

IOAcceleratorFamily
Available for:  OS X El Capitan v10.11.0 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1718 : Juwei Lin Trend Micro working with HP's Zero Day
Initiative

IOHIDFamily
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1719 : Ian Beer of Google Project Zero

IOKit
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1720 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend
Micro

libxslt
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A type confusion issue existed in libxslt. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-7995 : puzzor

OSA Scripts
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A quarantined application may be able to override OSA script
libraries installed by the user
Description:  An issue existed when searching for scripting
libraries. This issue was addressed through improved search order and
quarantine checks.
CVE-ID
CVE-2016-1729 : an anonymous researcher

syslog
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A local user may be able to execute arbitrary code with root
privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs

-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnsHdAAoJEBcWfLTuOo7tj/0P/2uG1QyMoIxPwzrtA178gig5
G1ozPA98X+6X+wd2ocVDUjROhKB+nySUuQvMr/LZY1ZyOE+zZlyv60EYefSwX9Qn
ASQfdHU73eu1cfViQOrACb5CvyCv8xQ3xEs5Z8Ruw4AaLKM5ICSaFRZKPb6VLVJ8
S4l5fYY+su5LBqM61AxQi9WlHNsy0IUARj1dz67/Q45eJat9gkzUX5Xwuya5KbMu
At2nyrzJQZhPmCl4uARglipbRE4r/jVC0Hmq8pM6rjRusO80cx6HsbUm0jIKe/xu
QRN5IMrhyp4YnYwujFIN7sknsAQYdGjoq250KFe9lWeq4HhA+JI3pqCRfPY0uqo4
tL9TBmusv6xw5WgjomobCV8hEq3zmPwNyfBDgAot/mdUMOuam3qpyEeWpSATgfUj
esgWZTPR5AAGd/dxk82Kz7PoHLDKf7lTtBbE8MRYFGaVZVZUiOjjbusYWbbikkhH
Tr1Hy0kCJ3YLWpO/6G6z5sZXdXKTMf/o/PqnoRAwxXIr6PnfcPdpf0N+/cdQaqmv
aoPNKPrCGAu3vlBHFrpP4FJgR6piZW/X30hh4DzqpGVNulUEI9USyIYsjB4M5IN7
pYUclIqpiLfXwi02uleVaetDuyPRCTY0vKOpMYVXG838aqZzpXyDRzyiPwLDMbK9
bb0aaqIVGEjM+xgCQ1db
=CR2n
-END PGP SIGNATURE-