BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 43 min 54 sec ago

[security bulletin] HPSBOV03226 rev.2 - HP TCP/IP Services for OpenVMS, BIND 9 Server Resolver, Multiple Remote Vulnerabilities

January 30, 2015 - 2:14pm

Posted by security-alert on Jan 30

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04530690

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04530690
Version: 2

HPSBOV03226 rev.2 - HP TCP/IP Services for OpenVMS, BIND 9 Server Resolver,
Multiple Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release...
Categories:

[SECURITY] [DSA 3147-1] openjdk-6 security update

January 30, 2015 - 11:15am

Posted by Moritz Muehlenhoff on Jan 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-3147-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 30, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-6
CVE ID : CVE-2014-3566 CVE-2014-6585...
Categories:

[SECURITY] [DSA 3146-1] requests security update

January 30, 2015 - 11:06am

Posted by Sebastien Delafond on Jan 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-3146-1 security () debian org
http://www.debian.org/security/ Sebastien Delafond
January 30, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : requests
CVE ID : CVE-2014-1829 CVE-2014-1830...
Categories:

ESA-2015-006: EMC Avamar Missing Certificate Validation Vulnerability

January 30, 2015 - 10:33am

Posted by Security Alert on Jan 30

ESA-2015-006: EMC Avamar Missing Certificate Validation Vulnerability

EMC Identifier: ESA-2015-006

CVE Identifier: CVE-2014-4632

Severity Rating: CVSSv2 Base Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

Affected products:
• EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x.

Summary:
EMC Avamar contains a security vulnerability that may potentially be leveraged by a malicious user to obtain sensitive...
Categories:

[SECURITY] [DSA 3145-1] privoxy security update

January 30, 2015 - 8:22am

Posted by Salvatore Bonaccorso on Jan 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-3145-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : privoxy
CVE ID : CVE-2015-1381 CVE-2015-1382
Debian...
Categories:

[SECURITY] [DSA 3144-1] openjdk-7 security update

January 30, 2015 - 1:48am

Posted by Moritz Muehlenhoff on Jan 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-3144-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2014-3566 CVE-2014-6585...
Categories:

NEW VMSA-2015-0002 VMware vSphere Data Protection product update addresses a certificate validation vulnerability

January 30, 2015 - 1:39am

Posted by VMware Security Response Center on Jan 30

------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2015-0002
Synopsis: VMware vSphere Data Protection product update addresses a
certificate validation vulnerability.
Issue date: 2015-01-29
Updated on: 2015-01-29 (Initial Advisory)
CVE number: CVE-2014-4632

------------------------------------------------------------------------

1. Summary...
Categories:

Symantec Encryption Management Server < 3.2.0MP6 - Remote Command Injection

January 30, 2015 - 1:31am

Posted by Paul Craig on Jan 30

Vantage Point Security Advisory 2014-007
========================================

Title: Symantec Encryption Management Server - Remote Command Injection
ID: VP-2014-007
Vendor: Symantec
Affected Product: Symantec Encryption Gateway
Affected Versions: < 3.2.0 MP6
Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/
Author: Paul Craig <paul[at]vantagepoint[dot]sg

Summary:
---------
Symantec Gateway Email Encryption...
Categories:

Unauthenticated Reflected XSS vulnarbility in Asus RT-N10 Plus router

January 29, 2015 - 1:35pm

Posted by kingkaustubh on Jan 29

#####################################
Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router
Author: Kaustubh G. Padwad
Product: ASUS Router RT-N10 Plus
Firmware: 2.1.1.1.70
Severity: HIGH
Auth: Not requierd

# Description:
Vulnerable Parameter: flag=
# Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

# About Vulnerability: Asus Router RT-N10 Plus with firmware...
Categories:

Reflected XSS vulnarbility in Asus RT-N10 Plus Router

January 29, 2015 - 1:27pm

Posted by kingkaustubh on Jan 29

#####################################
Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router
Author: Kaustubh G. Padwad
Product: ASUS Router RT-N10 Plus
Firmware: 2.1.1.1.70
Severity: Medium
Auth: Requierd

# Description:
Vulnerable Parameter: flag=
# Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

# About Vulnerability: Asus Router RT-N10 Plus with firmware...
Categories:

ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities

January 29, 2015 - 1:18pm

Posted by Security Alert on Jan 29

ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities

EMC Identifier: ESA-2015-002

CVE Identifier: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902, CVE-2012-5885, CVE-2011-3389,
CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231, CVE-2013-1774, CVE-2013-1848, CVE-2013-0311,
CVE-2013-2634, CVE-2013-0268, CVE-2013-0913,CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549,...
Categories:

Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385

January 29, 2015 - 10:37am

Posted by Onur Yilmaz on Jan 29

Information
------------
Advisory by Netsparker
Name: XSS Vulnerability in Blubrry PowerPress
Affected Software : Blubrry PowerPress
Affected Versions: 6.0 and possibly below
Vendor Homepage : https://wordpress.org/plugins/powerpress/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1385
Netsparker Advisory Reference : NS-15-001

Description
-----------
By exploiting a Cross-site scripting vulnerability the attacker...
Categories:

CVE-2014-8779: SSH Host keys on Pexip Infinity

January 29, 2015 - 10:04am

Posted by giles on Jan 29

Summary
=======

The operating system used by Pexip Infinity does not create unique SSH
host keys on deployment of new Management and Conferencing Nodes, using
fixed host keys instead. Host keys are used to verify the identity of
the remote host when connecting to it over SSH. These keys are contained
in the publicly available software image.

An attacker with privileged network access may make use of these keys to
spoof the identity of a Pexip...
Categories:

[The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360)

January 29, 2015 - 9:02am

Posted by Pedro Ribeiro on Jan 29

Hi,

This is part 12 of the ManageOwnage series. For previous parts, see [1].

This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.

I've pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is...
Categories:

Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability

January 29, 2015 - 8:53am

Posted by Cisco Systems Product Security Incident Response Team on Jan 29

Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability

Advisory ID: cisco-sa-20150128-ghost

Revision 1.0

For Public Release 2015 January 28 22:30 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This
vulnerability is related to the various gethostbyname...
Categories:

AST-2015-001: File descriptor leak when incompatible codecs are offered

January 29, 2015 - 8:45am

Posted by Asterisk Security Team on Jan 29

Asterisk Project Security Advisory - AST-2015-001

Product Asterisk
Summary File descriptor leak when incompatible codecs are
offered
Nature of Advisory Resource exhaustion
Susceptibility Remote Authenticated Sessions...
Categories:

[slackware-security] glibc (SSA:2015-028-01)

January 29, 2015 - 8:36am

Posted by Slackware Security Team on Jan 29

[slackware-security] glibc (SSA:2015-028-01)

New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0,
and 14.1 to fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/glibc-2.17-i486-10_slack14.1.txz: Rebuilt.
This update patches a security issue __nss_hostname_digits_dots() function
of glibc which may be triggered through the gethostbyname*() set of...
Categories:

KL-001-2015-001 : Windows 2003 tcpip.sys Privilege Escalation

January 29, 2015 - 8:27am

Posted by KoreLogic Disclosures on Jan 29

KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation

Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-001
Publication Date: 2015.01.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt

1. Vulnerability Details

Affected Vendor: Microsoft
Affected Product: TCP/IP Protocol Driver
Affected Version:...
Categories:

[SECURITY] [DSA 3143-1] virtualbox security update

January 28, 2015 - 2:03pm

Posted by Moritz Muehlenhoff on Jan 28

-------------------------------------------------------------------------
Debian Security Advisory DSA-3143-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 28, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : virtualbox
CVE ID : CVE-2015-0377 CVE-2015-0418...
Categories:

Multiple vulnerabilities in MantisBT

January 28, 2015 - 12:04pm

Posted by High-Tech Bridge Security Research on Jan 28

Advisory ID: HTB23243
Product: MantisBT
Vendor: MantisBT Team
Vulnerable Version(s): 1.2.17 and probably prior
Tested Version: 1.2.17
Advisory Publication: December 3, 2014 [without technical details]
Vendor Notification: December 3, 2014
Vendor Patch: January 25, 2015
Public Disclosure: January 28, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284], SQL Injection [CWE-89]
CVE References: CVE-2014-9571,...
Categories: