[Full-disclosure] [SECURITY] [DSA 2828-1] drupal6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2828-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 28, 2013 http://www.debian.org/security/faq - - Package: drupal6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6385 CVE-2013-6386 Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: vulnerabilities due to optimistic cross-site request forgery protection, insecure pseudo random number generation, code execution and incorrect security token validation. In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites' files directories (both public and private, in case you have both configured). Please refer to the NEWS file provided with this update and the upstream advisory at https://drupal.org/SA-CORE-2013-003 for further information. For the oldstable distribution (squeeze), these problems have been fixed in version 6.29-1. We recommend that you upgrade your drupal6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSvqTxAAoJEAVMuPMTQ89EaHEP/AxpHBG5If4gp5eRN4DmD130 kiFMQ/nLsWCZjERT2+t1/plrhXWprLKowphduX06mvZJC725rbXPFWbo76mL6nxv 9cdQbsVBa4y5SovrY7MRNpNeP2u+BoH0P6qR5EGSFB6JwKggI5bjBBNpsA9T9bbK PqvNGz8F/gZKiL/QT28VJjJ2YlqHJ+ZE5aNk5LjKjLCyZLAlVSzVZF7IcOuKS1by wLJQhIsznlzUIw4P7Zz8xWPRaf5nKgEx3s6dhrS8qE2lEDBsXEBsn8+hTPcz7HqW yE7S/3RJR3r/6lNdHc+6J2wX6CcR0AFfbCRuqHPWkWjrCImpLZ2JVCa4IdnAINyY iiyHtIAWjtz0SPgprBtNFghJdUnYlhlsm82aF1iciNxSkpln9DGM1cvF5MS342OQ pCh5/P38qRQo5ZapGC/tyLfvXuB6DxiapdV/zA9DcdtEqavRg3x1jFZkQPVTTR29 u5O+r/V37/y/cvZFy6UHihOLGxJO8W9cXPPgcxy3VXYri2ENQCHwSUYiH/WqaOgo MAn04I7Pt177qobibB8wFOeiy3R4KtJQ4CezDz3SiTC+aHSKsDOqx+i/5zDw5kqN la2/Mub30Sbm5mP4YMXA2Cg1vwSFkxKJIrQDYUDdGTuOFyKPb0yGZY6I+MIHkpl4 MIBvmuN6queWnTgN/Wkx =/ko2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2829-1] hplip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2829-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 28, 2013 http://www.debian.org/security/faq - - Package: hplip Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0200 CVE-2013-4325 CVE-2013-6402 CVE-2013-6427 Multiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled. For the oldstable distribution (squeeze), these problems have been fixed in version 3.10.6-2+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 3.12.6-3.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 3.13.11-2. We recommend that you upgrade your hplip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlK/EGkACgkQXm3vHE4uylqQ6ACfcyR1uGDT3b4xshhggjmO5QDd 9qwAoKKPDDDBnBU3u8DWYkE3QhNavERj =gP71 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CALL FOR PAPERS - Hackers 2 Hackers Conference 11th edition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CALL FOR PAPERS - Hackers 2 Hackers Conference 11th edition The call for papers for H2HC 11th edition is now open. H2HC is a hacker conference taking place in Sao Paulo, Brazil, from 18 to 19 of October 2014. Our public key is available at: https://www.h2hc.com.br/divulgacao/public.key [ - Introduction - ] For the eleventh consecutive year and past success we have been having, the annual Hackers 2 Hackers Conference will be held again in Sao Paulo, from 18 to 19 of October 2014 and aims to get together industry, government, academia and underground hackers to share knowledge and leading-edge ideas about information security and everything related to it. H2HC will feature national and international speakers and attendees with a wide range of skills. The atmosphere is favorable to present all facets of computer security subject and will be a great opportunity to network with like-minded people and enthusiasts. The conference is a dual-language conference, with ALL talks in English or simultaneously translated to English by professional linguists with experience in computer sciences translation. [ - The venue - ] H2HC 11th edition will take place at Novotel Morumbi (http://www.novotel.com/gb/hotel-0473-novotel-morumbi/index.shtml) in an auditorium with capacity for up to 600 people. Additionally, we will be helding in parallel to H2HC the BSides SP on October, 19 in an auditorium in the same venue with capacity for up to 200 people. [*] About Sao Paulo (taken from fiquemaisumdia.com.br) The city is the largest in Brazil and first in South America by population. Quite often Sao Paulo intimidates people because of its size, its constant pedestrian and vehicle traffic, ethnic and cultural multiplicity. Sao Paulo will surprise you whether you come here on business or for an expo, a congress or a convention, stay for at least one more day. Let yourself be seduced by the cultural diversity of this many-faceted city which vibrates, dictates fashion, is always anticipating trends, and welcomes Brazilians and foreigners from all over. And oh, do not forget to have fun in South America's wildest night life. [ - Topics - ] H2HC committee gives preference to lectures with practical demonstration. The conference staff will try to provide every equipment needed for the presentation in the case the author cannot provide them. The following topics include, but are not limited to: * Exploit development techniques * Telecom security and phone phreaking * Fuzzing and application security test * Penetration testing * Web application security * Techniques for development of secure software and systems * Hardware hacking, embedded systems and other electronic devices * Mobile devices exploitation, Symbian, P2K and bluetooth technologies * Analysis of virus, worms and all sorts of malwares * Reverse engineering * Rootkits * Security in Wi-Fi and VoIP environments * Information about smartcard and RFID security and similars * Technical approach to alternative operating systems * Denial of service attacks and/or countermeasures * Security aspects in SCADA and industrial environments and obscure networks * Cryptography * Lockpicking, trashing, physical security and urban exploration * Internet, privacy and Big Brother * Information warfare and industrial espionage [ - Important dates - ] Conference and trainings - H2HC Sao Paulo/Brazil October 16th and 17th: H2HC trainings 1 October 18th and 19th: H2HC 11th edition October 20th and 21st: H2HC trainings 2 Deadline and submissions Deadline for proposal submissions: May 17 2014 Deadline for slides submissions: July 17 2014 Notification of acceptance or rejection: no later than June 10 2014 * E-mail for proposal submissions: cfp *noSPAM* h2hc *dot* com *dot* br Make sure to provide along with your submission the following details: * Speaker name or handle, address, e-mail, phone number and general contact information * A brief but informative description about your talk * Short biography of the presenter, including organization, company and affiliations * Estimated time-length of presentation * General topic of the speech (eg.: network security, secure programming, computer forensics, etc.) * Any other technical requirements for your lecture * Whether you need visa to enter Brazil or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we can extend the presentation length if requested in advance. Preferable file format for papers and slides are both PDF and also PPT for slides. Speakers are asked to hand in slides used in their lectures. PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation involves advertisement of products or services please do not submit. [ - Information for speakers - ] Speakers' privileges are: * H2HC staff can guarantee and we will provide accommodation for 2 nights * For each non-resident speaker we might be able to cover
[Full-disclosure] vm86 syscall kernel-panic and some more goodies waiting to be analyzed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It seems that at least on 32-bit Debian-sid kernel in VirtualBox guest, [1] triggers a kernel-panic. This simple POC does not allow privilege escalation although there might be also some time-race component involved, sometimes similar code seems to access uninitialized memory or triggers NULL-dereferences. Therefore the simple POC code could be extended for more extensive testing. See [2] for more information. hd [1] http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86SwitchToEmmsFault.c [2] http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlK/S3oACgkQxFmThv7tq+4bWwCfXUEPbsRB48dBuJ8BL6ajiJY6 lb0An3vqZ+lKWE577pHYYOdfbx1OLFDB =994F -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
