BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 32 min 29 sec ago

[SECURITY] [DSA 3041-1] xen security update

October 1, 2014 - 8:28am

Posted by Moritz Muehlenhoff on Oct 01

-------------------------------------------------------------------------
Debian Security Advisory DSA-3041-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
October 01, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2013-2072 CVE-2014-7154...
Categories:

Reflected Cross-Site Scripting (XSS) in Textpattern

October 1, 2014 - 8:15am

Posted by High-Tech Bridge Security Research on Oct 01

Advisory ID: HTB23223
Product: Textpattern
Vendor: http://textpattern.com/
Vulnerable Version(s): 4.5.5 and probably prior
Tested Version: 4.5.5
Advisory Publication: July 9, 2014 [without technical details]
Vendor Notification: July 9, 2014
Vendor Patch: September 20, 2014
Public Disclosure: October 1, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-4737
Risk Level: Medium
CVSSv2 Base Score: 4.3...
Categories:

Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin

October 1, 2014 - 8:04am

Posted by High-Tech Bridge Security Research on Oct 01

Advisory ID: HTB23232
Product: Photo Gallery WordPress plugin
Vendor: http://web-dorado.com/
Vulnerable Version(s): 1.1.30 and probably prior
Tested Version: 1.1.30
Advisory Publication: September 10, 2014 [without technical details]
Vendor Notification: September 10, 2014
Vendor Patch: September 10, 2014
Public Disclosure: October 1, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-6315
Risk Level: Low
CVSSv2...
Categories:

FreePBX (All Versions) RCE

October 1, 2014 - 7:55am

Posted by rob . thomas on Oct 01

We would like to announce that a significant security vulnerability has been discovered in all current versions of
FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536 which should be treated as the
authoritative source of information. The CVE, when provided, will be linked from...
Categories:

NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities

October 1, 2014 - 7:43am

Posted by VMware Security Response Center on Oct 01

VMware Security Advisory

Advisory ID: VMSA-2014-0010
Synopsis: VMware product updates address critical Bash
security vulnerabilities
Issue date: 2014-09-30
Updated on: 2014-09-30 (Initial Advisory)
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187
------------------------------------------------------------------------

1. Summary

VMware product updates address Bash security...
Categories:

[security bulletin] HPSBHF03119 rev.1 - HP DreamColor Display running Bash Shell, Remote Code Execution

October 1, 2014 - 7:32am

Posted by security-alert on Oct 01

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04468293

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04468293
Version: 1

HPSBHF03119 rev.1 - HP DreamColor Display running Bash Shell, Remote Code
Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-09-30
Last...
Categories:

[SECURITY] [DSA 3040-1] rsyslog security update

October 1, 2014 - 6:28am

Posted by Luciano Bello on Oct 01

-------------------------------------------------------------------------
Debian Security Advisory DSA-3040-1 security () debian org
http://www.debian.org/security/
September 30, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : rsyslog
CVE ID : CVE-2014-3634

Rainer Gerhards,...
Categories:

[security bulletin] HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell, Remote Code Execution

October 1, 2014 - 6:19am

Posted by security-alert on Oct 01

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04467807

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04467807
Version: 1

HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System
(vCAS) running Bash Shell, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as...
Categories:

[security bulletin] HPSBMU03112 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Multiple Vulnerabilities

October 1, 2014 - 6:07am

Posted by security-alert on Oct 01

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04463322

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04463322
Version: 1

HPSBMU03112 rev.1 - HP System Management Homepage (SMH) on Linux and Windows,
Multiple Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date:...
Categories:

[security bulletin] HPSBST02958 rev.1 - HP MPIO Device Specific Module Manager, Local Execution of Arbitrary Code with Privilege Elevation

October 1, 2014 - 5:59am

Posted by security-alert on Oct 01

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04048122

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04048122
Version: 1

HPSBST02958 rev.1 - HP MPIO Device Specific Module Manager, Local Execution
of Arbitrary Code with Privilege Elevation

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible....
Categories:

All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

October 1, 2014 - 5:48am

Posted by Vulnerability Lab on Oct 01

Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325

Release Date:
=============
2014-09-29

Vulnerability Laboratory ID (VL-ID):
====================================
1327

Common Vulnerability Scoring System:
====================================
3.3

Product & Service Introduction:...
Categories:

PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

October 1, 2014 - 5:37am

Posted by Vulnerability Lab on Oct 01

Document Title:
===============
PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=870

PayPal Security UID: Roc83bl

Release Date:
=============
2014-09-24

Vulnerability Laboratory ID (VL-ID):
====================================
870

Common Vulnerability Scoring System:
====================================
3.5

Product & Service...
Categories:

PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

October 1, 2014 - 5:27am

Posted by Vulnerability Lab on Oct 01

Document Title:
===============
PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=844

PayPal Security UID: CabdfGa

Release Date:
=============
2014-09-23

Vulnerability Laboratory ID (VL-ID):
====================================
844

Common Vulnerability Scoring System:
====================================
3.5

Product & Service...
Categories:

London DEFCON - September 30th 2014

September 30, 2014 - 6:48am

Posted by Major Malfunction on Sep 30

Yes, that's tonight!

Apologies for the late notice - I've been travelling. A lot.

In the meantime, The Phoenix finished their refurb and is back up and
running, and looking pretty swanky, so I'm looking forward to seeing
what's new... Let's hope they haven't changed the beer! :)

We don't have any specific talks scheduled for this month, but as
always, if you've got something interesting you want to...
Categories:

[slackware-security] bash (SSA:2014-272-01)

September 30, 2014 - 6:40am

Posted by Slackware Security Team on Sep 30

[slackware-security] bash (SSA:2014-272-01)

New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded.
Another bash update. Here's some information included with the patch:
"This patch changes the encoding bash uses for...
Categories:

[slackware-security] seamonkey (SSA:2014-271-03)

September 30, 2014 - 6:32am

Posted by Slackware Security Team on Sep 30

[slackware-security] seamonkey (SSA:2014-271-03)

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to
fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/seamonkey-2.29.1-i486-1_slack14.1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:...
Categories:

[slackware-security] mozilla-thunderbird (SSA:2014-271-02)

September 30, 2014 - 6:22am

Posted by Slackware Security Team on Sep 30

[slackware-security] mozilla-thunderbird (SSA:2014-271-02)

New mozilla-thunderbird packages are available for Slackware 14.1 and -current
to fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-24.8.1-i486-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...
Categories:

[ MDVSA-2014:191 ] perl-XML-DT

September 30, 2014 - 6:12am

Posted by security on Sep 30

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:191
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : perl-XML-DT
Date : September 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:...
Categories:

Moab Authentication Bypass (insecure message signing) [CVE-2014-5376]

September 29, 2014 - 7:55am

Posted by john . fitzpatrick on Sep 29

##[Moab Authentication Bypass (insecure message signing) : CVE-2014-5376]##

Software: Moab
Affected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8
CVE Reference: CVE-2014-5376
Author: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)
Severity: High Risk
Vendor: Adaptive Computing
Vendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480)

##[Description]...
Categories:

Moab User Impersonation [CVE-2014-5375]

September 29, 2014 - 7:41am

Posted by john . fitzpatrick on Sep 29

##[Moab User Impersonation : CVE-2014-5375]##

Software: Moab
Affected Versions: All current versions of Moab. However, the impact is limited in Moab 7.2.9 and Moab 8.
CVE Reference: CVE-2014-5375
Author: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)
Severity: High Risk
Vendor: Adaptive Computing
Vendor Response: Updates in Moab 7.2.9 and Moab 8 provide some mitigations

##[Description]

It is possible to submit jobs...
Categories: