[Full-disclosure] [Security-news] SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability
View online: https://drupal.org/node/2158651 * Advisory ID: DRUPAL-SA-CONTRIB-2013-098 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-12-18 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Session Fixation DESCRIPTION - The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The module doesn't sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout. This vulnerability is mitigated by the fact that an attacker must have access to the original session ID of the victim, and that the "Log in new customers after checkout" option must be enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Ubercart 6.x-2.x versions prior to 6.x-2.13. * Ubercart 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Ubercart [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.13 [5] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.6 [6] Also see the Ubercart [7] project page. REPORTED BY - * mettasoul [8] FIXED BY * Dave Long [9] the module maintainer * Rick Manelius [10] provisional member of the Drupal Security Team COORDINATED BY -- * Rick Manelius [11] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ubercart [5] https://drupal.org/node/2158565 [6] https://drupal.org/node/2158567 [7] http://drupal.org/project/ubercart [8] http://drupal.org/user/1227990 [9] http://drupal.org/user/246492 [10] http://drupal.org/user/680072 [11] http://drupal.org/user/680072 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2823-1] pixman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2823-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 18, 2013 http://www.debian.org/security/faq - - Package: pixman Vulnerability : integer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6425 Bryan Quigley discovered an integer underflow in Pixman which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 0.16.4-1+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 0.26.0-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.30.2-2. We recommend that you upgrade your pixman packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKxvq0ACgkQXm3vHE4uylrxHQCfUM5UhvMdwaQFn7fnyHUcSdkv 6XAAoIL9+/pBjy04jZmYhZ4ztyaH0ApE =oi7U -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2822-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2822-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 18, 2013 http://www.debian.org/security/faq - - Package: xorg-server Vulnerability : integer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6424 Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1.7.7-18. For the stable distribution (wheezy), this problem has been fixed in version 1.12.4-6+deb7u2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your xorg-server packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKxvkQACgkQXm3vHE4uylpz4QCffdkLUwzOql3f8KkvHlMhwnnO TSIAn1GEXxcJsCyqhuChrIhq1XmQQbz2 =bzQO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:294 ] gimp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:294 http://www.mandriva.com/en/support/security/ ___ Package : gimp Date: December 18, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in gimp: Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large (1) red, (2) green, or (3) blue color mask in an XWD file (CVE-2012-5576). Integer overflow in the load_image function in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.6.9 and earlier, when used with glib before 2.24, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large color entries value in an X Window System (XWD) image dump (CVE-2013-1913). Heap-based buffer overflow in the read_xwd_cols function in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.6.9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an X Window System (XWD) image dump with more colors than color map entries (CVE-2013-1978). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1913 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1978 ___ Updated Packages: Mandriva Enterprise Server 5: 760cb6e3f2f6153d693af37d1bbfbfca mes5/i586/gimp-2.6.12-0.2mdvmes5.2.i586.rpm 1d8bb88baa044d9da28ed0ed1685492a mes5/i586/gimp-python-2.6.12-0.2mdvmes5.2.i586.rpm 0e6aefa03a8a03d88f269c31ccad700a mes5/i586/libgimp2.0_0-2.6.12-0.2mdvmes5.2.i586.rpm 443a37f7cd76ea9b9964881ff2ef931e mes5/i586/libgimp2.0-devel-2.6.12-0.2mdvmes5.2.i586.rpm edc3b654d92fed53846488acf89abf13 mes5/SRPMS/gimp-2.6.12-0.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 436684c464f88f15e3e6fd14a73ff321 mes5/x86_64/gimp-2.6.12-0.2mdvmes5.2.x86_64.rpm d36d6c6cbe0734971d09032e249bdb50 mes5/x86_64/gimp-python-2.6.12-0.2mdvmes5.2.x86_64.rpm 8789363de85e421285b42662dbbb5a4c mes5/x86_64/lib64gimp2.0_0-2.6.12-0.2mdvmes5.2.x86_64.rpm 5e5ce25f77ef23d27634dd9692d96d48 mes5/x86_64/lib64gimp2.0-devel-2.6.12-0.2mdvmes5.2.x86_64.rpm edc3b654d92fed53846488acf89abf13 mes5/SRPMS/gimp-2.6.12-0.2mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsXt4mqjQ0CJFipgRAnVkAJ9HxuNCuxEamXcMNifrYoBX3fIfSACgl5F/ GTBonEVHGuFLzHZN1cC4+U8= =eCHY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:293 ] gimp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:293 http://www.mandriva.com/en/support/security/ ___ Package : gimp Date: December 18, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated gimp package fixes security vulnerabilities: An integer overflow flaw and a heap-based buffer overflow were found in the way GIMP loaded certain X Window System (XWD) image dump files. A remote attacker could provide a specially crafted XWD image file that, when processed, would cause the XWD plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP (CVE-2013-1913, CVE-2013-1978). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1913 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1978 http://advisories.mageia.org/MGASA-2013-0365.html ___ Updated Packages: Mandriva Business Server 1/X86_64: f15f770e4f29aa83895a448a68bb52f9 mbs1/x86_64/gimp-2.8.2-1.1.mbs1.x86_64.rpm d6e034a095663bdff562dfa31d24cb13 mbs1/x86_64/gimp-python-2.8.2-1.1.mbs1.x86_64.rpm a7f7cb682deb13ba751abf0fc32ce4c2 mbs1/x86_64/lib64gimp2.0_0-2.8.2-1.1.mbs1.x86_64.rpm a00244b9c15e58a5dac6f8502189cc32 mbs1/x86_64/lib64gimp2.0-devel-2.8.2-1.1.mbs1.x86_64.rpm b439aff06112b9c94f3c11aa002bc9de mbs1/SRPMS/gimp-2.8.2-1.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsXkDmqjQ0CJFipgRAhhFAJ0X6D0fJVgca4P5PNbN5xsU63dxqgCgv63M A3cXq3aw87YU9Rj8aU4xxPI= =5Ewm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:292 ] links
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:292 http://www.mandriva.com/en/support/security/ ___ Package : links Date: December 18, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Updated links package fixes security vulnerability: Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode (CVE-2013-6050). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6050 http://advisories.mageia.org/MGASA-2013-0364.html ___ Updated Packages: Mandriva Enterprise Server 5: 0f818afa4714ac575b611414345bf672 mes5/i586/links-2.2-3.1mdvmes5.2.i586.rpm f2aa6a62f062f2dfd9eb1de17da71fb0 mes5/i586/links-common-2.2-3.1mdvmes5.2.i586.rpm dad44d84d9333c7aa3bddd07de1c86b7 mes5/i586/links-graphic-2.2-3.1mdvmes5.2.i586.rpm f3cac7be40394a4175f71ddf630cb992 mes5/SRPMS/links-2.2-3.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 11608b70da9a36689833e73403168d36 mes5/x86_64/links-2.2-3.1mdvmes5.2.x86_64.rpm 065d526a308cea3b5b8c9ee4f89751d5 mes5/x86_64/links-common-2.2-3.1mdvmes5.2.x86_64.rpm bf242c78cc735eadae7b6b7617233db3 mes5/x86_64/links-graphic-2.2-3.1mdvmes5.2.x86_64.rpm f3cac7be40394a4175f71ddf630cb992 mes5/SRPMS/links-2.2-3.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsWeumqjQ0CJFipgRAlejAJ9Q1mPJ8GSTNh12s2FtisAXGXbc8ACg1FhR 5cCM171NkuC3pI2NhOHIVPc= =pLzU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
I would like to point out that the statements made in the emails from mikken.tut...@intersecworldwide.com are untrue at best, defamatory at worst. I am not going to lambast Jeff, Mikken, or Intersec Worldwide - but I will defend myself. Normally I would not respond to something like this in a public forum, however, Intersec Worldwide has forced my hand due to their untrue statements. I never signed a Non-Disclosure Agreement with Intersec Worldwide when I started my contracting work for them. Now that’s not to say I am going to start publishing all the vulnerabilities of their clients, far from it. I am stating this because prior to this email going out, I was called by Jeff Tutton the ‘CISO’ about the matter. We talked briefly for about 10 minutes on Wednesday, December 11, 2013. During this phone call I mentioned the fact that no NDA had been signed. He said he would look into this and work with his client on the matter regarding the vulnerability disclosure. I never heard back from him or anyone at Intersec Worldwide after this. I emailed Jeff/Intersec this morning when I saw Fyodor’s post and Mikken’s/Intersec email alleging I violated their NDA. I gave Jeff/Intersec until EOB today to provide the original email with the signed NDA I sent to them, however, I have yet to receive this. I asked for a copy of the allegedly signed NDA last week as well. Failure to provide a legitimate copy of my sent email with a signed NDA proves to me that they forgot to have me sign an NDA. I should not be held liable for a lapse in their own processes. If they are able to come up with a legitimate copy of the signed NDA and email with legitimate email headers - I will gracefully apologize…which won’t occur since I did not sign such a document. In this email, I also informed Jeff that I am terminating my 1099/contractor agreement with Intersec Worldwide effective immediately. Due to the mention of legal action in their email, I have now retained the services of an attorney and will be ready to see this matter to a close. Instead of focusing on the fact that information was disclosed after they had 6+ months to fix the vulnerability, they should be focusing on the positive aspect that they were able to fix the vulnerability and that it does not affect their product’s current release version. - Daniel Wood On Dec 16, 2013, at 4:50 PM, Fyodor wrote: > On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood wrote: > Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for > California (ZippyYum) 3.4 iOS mobile application > > Reported to Vendor: May 2013 > CVE Reference: CVE-2013-6986 > > Apparently you touched a nerve! If the legal threats we received for > archiving this security advisory on SecLists.org are any indication, ZippyYum > really doesn't want anyone to know they were storing users' credit card info > (including security code) and passwords in cleartext on their phones. > > "Please remove this information from your website immediately in order at > avoid further legal action." --Mikken Tutton, CEO of ZippyYum client > IntersecWorldWide > > Of course we have ignored the threats and kept the advisory proudly posted > at: http://seclists.org/fulldisclosure/2013/Dec/39 > > Here are the legal threats we received today and last Wednesday: > > -- Forwarded message -- > From: Mikken Tutton > Date: Mon, Dec 16, 2013 at 1:33 PM > Subject: Fwd: > To: jo...@grok.org.uk, fyo...@nmap.org, hostmas...@insecure.org > > Dear Webmaster, > > We contacted you last week regarding some private information about our > client that you have posted on your website, in violation of Non-Disclosure > agreements we have in place with our customer Zippy Yum. We are requesting > that this information be removed immediately. The information to which I am > referring is located on this page of your website: > http://seclists.org/fulldisclosure/2013/Dec/39 > > We would appreciate the courtesy of a response to our email within 48 hours > so we can resolve this issue. > > If we do not receive a response, we will turn this matter over to our > attorney for legal action. Thank you for your prompt attention to this matter. > > Sincerely, > > Mikken Tutton > CEO > > > -- Forwarded message -- > From: Mikken Tutton > Date: Wed, Dec 11, 2013 at 11:03 AM > Subject: Re: > To: fyo...@nmap.org > Cc: jo...@grok.org.uk > > Dear Mr. Lyon, > > It has come to my attention that the attached information is posted on your > website about one of our clients. However, this information was released to > you with out authorization and is protected by the Non-Disclosure Agreements > we have in place, both with our client and also with the contractor who > submitted the information to your website in violation of said NDA. > > Please remove this information from your website immediately in order at > avoid further legal action. Attached is a screen s
[Full-disclosure] [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms
### 01. ### Advisory Information ### Title: Default markup formatter permits offsite-bound forms Date published : 2013-12-16 Date of last update: 2013-12-16 Vendors contacted : Jenkins CI v 1.523 Discovered by: Christian Catalano Severity: Low 02. ### Vulnerability Information ### CVE reference: CVE-2013-5573 CVSS v2 Base Score: 4.7 CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N) Component/s : Jenkins CI v 1.523 Class : HTML Injection 03. ### Introduction ### Jenkins CI is an extendable open source continuous integration server http://jenkins-ci.org. 04. ### Vulnerability Description ### The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in the 'Descriotion' input field of the User Configuration function: https://localhost:9444/jenkins/user/attacker/configure To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: http://www.mocksite.org/login/login.php.";> Username: Password: in the 'Descriotion' input field and click on save button. The code execution happens when the victim (an unaware user) view the 'People List' https://localhost:9444/jenkins/asynchPeople/ and click on attacker user id. 06. ### Business Impact ### Exploitation of the persistent web vulnerability requires a low privilege web application user account. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: Jenkins CI v1.523 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag("form", "action", ONSITE_OR_OFFSITE_URL, "method"); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps could be banned entirely. 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### August 21th, 2013: Vulnerability identification August4th, 2013: Vendor notification [Jenkins CI] November 19th, 2013: Vulnerability confirmation [Jenkins CI] November 19th, 2013: Vendor Solution December 16th, 2013: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] InfoSec Southwest 2014 CFP now open!
Hi computer enthusiasts! I'm delighted to announce this year's call for papers for ISSW 2014 is open now through 11:59:59 CST, February 1, 2014. ISSW 2014 will be held in downtown Austin, Texas, USA, from Friday, April 4 through Sunday, April 6th. Yes, this is well after SXSW, so all the out-of-towner hipsters should be long gone. You'll still be free to experience our usual complement of locally-raised hipsters. Details on the CFP are here: http://2014.infosecsouthwest.com/cfp.html Once you've confirmed you've hit the requirements listed there, please send your material to: c...@infosecsouthwest.com Good luck! -- Tod Beardsley, ISSW 2014 CFP Chair t...@metasploit.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phrack.org being spammed
Seems that there is a lot of SPAM going on here: * http://phrack.org/issues.html?issue=29&id=7#comments Is phrack(.org) still maintained? It has been a while since the last one... ~ -- |_|0|_| Yvan Janssens|_|_|0| |0|0|0| ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:290 ] mediawiki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:290 http://www.mandriva.com/en/support/security/ ___ Package : mediawiki Date: December 17, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated mediawiki packages fix security vulnerabilities: Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4572 http://advisories.mageia.org/MGASA-2013-0368.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 16978836b471c8c96de15bd2951f6973 mbs1/x86_64/mediawiki-1.20.8-1.mbs1.noarch.rpm b310f836d33a13eafc9c2bf5d4f125bd mbs1/x86_64/mediawiki-mysql-1.20.8-1.mbs1.noarch.rpm 039a7f1f78ab63f341ad33fab533aae5 mbs1/x86_64/mediawiki-pgsql-1.20.8-1.mbs1.noarch.rpm 4bd73f5b354eed12f9a4235063f61898 mbs1/x86_64/mediawiki-sqlite-1.20.8-1.mbs1.noarch.rpm cc772a7609220723cfdb3a355edb1356 mbs1/SRPMS/mediawiki-1.20.8-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsF3GmqjQ0CJFipgRAvozAJ4lKF946F+avpqvtNmqcKgZTpGknQCg3Okb V+JjXL2C9JfeA81C5wnaXIg= =DWkF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:291 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:291 http://www.mandriva.com/en/support/security/ ___ Package : kernel Date: December 17, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h (CVE-2013-2929). The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application (CVE-2013-2930). Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c (CVE-2013-4511). Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation (CVE-2013-4512). Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions (CVE-2013-4514). The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call (CVE-2013-4515). Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots (CVE-2013-4592). The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation (CVE-2013-6378). The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command (CVE-2013-6380). Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size (CVE-2013-6381). The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call (CVE-2013-6383). The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511 (CVE-2013-6763). The updated packages provides a solution for these security issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4514 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6378 http://cve.mitre.org/cgi-bin/cv
[Full-disclosure] [ MDVSA-2013:291 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:291 http://www.mandriva.com/en/support/security/ ___ Package : kernel Date: December 17, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h (CVE-2013-2929). The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application (CVE-2013-2930). Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c (CVE-2013-4511). Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation (CVE-2013-4512). Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions (CVE-2013-4514). The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call (CVE-2013-4515). Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots (CVE-2013-4592). The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation (CVE-2013-6378). The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command (CVE-2013-6380). Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size (CVE-2013-6381). The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call (CVE-2013-6383). The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511 (CVE-2013-6763). The updated packages provides a solution for these security issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4514 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6378 http://cve.mitre.org/cgi-bin/cv
[Full-disclosure] [ MDVSA-2013:289 ] owncloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:289 http://www.mandriva.com/en/support/security/ ___ Package : owncloud Date: December 17, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated owncloud package fixes security vulnerability: Possible security bypass on admin page under certain circumstances and MariaDB (CVE-2013-6403). The owncloud package has been updated to version 5.0.13, fixing this and many other issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6403 http://advisories.mageia.org/MGASA-2013-0367.html ___ Updated Packages: Mandriva Business Server 1/X86_64: b6ab376f1fc4bc6ca9e634231b6294fe mbs1/x86_64/owncloud-5.0.13-1.mbs1.noarch.rpm 9d37a933d3a0721fba300a7e07845f49 mbs1/SRPMS/owncloud-5.0.13-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSsFzOmqjQ0CJFipgRAuqzAJ9cx0WwSfFgSY2bGLYZU2QnQe+BVwCfSoXM 5S6yf4xrHguzkCK6KExdGBg= =jCb6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/