BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 1 hour 25 min ago

APPLE-SA-2018-9-24-6 Additional information for APPLE-SA-2018-9-17-3 tvOS 12

16 hours 56 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-6 Additional information for
APPLE-SA-2018-9-17-3 tvOS 12

tvOS 12 addresses the following:

Auto Unlock
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: A malicious application may be able to access local users
AppleIDs
Description: A validation issue existed in the entitlement
verification. This issue was addressed with improved validation of
the process entitlement.
CVE-2018-4321: Min (Spark) Zheng, Xiaolong...
Categories:

APPLE-SA-2018-9-24-5 Additional information for APPLE-SA-2018-9-17-2 watchOS 5

16 hours 58 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-5 Additional information for
APPLE-SA-2018-9-17-2 watchOS 5

watchOS 5 addresses the following:

iTunes Store
Available for: Apple Watch Series 1 and later
Impact: An attacker in a privileged network position may be able to
spoof password prompts in the iTunes Store
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4305: Jerry Decime

Kernel
Available for: Apple Watch Series 1 and...
Categories:

APPLE-SA-2018-9-24-4 Additional information for APPLE-SA-2018-9-17-1 iOS 12

16 hours 58 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-4 Additional information for
APPLE-SA-2018-9-17-1 iOS 12

iOS 12 addresses the following:

Accounts
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A local app may be able to read a persistent account
identifier
Description: This issue was addressed with improved entitlements.
CVE-2018-4322: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc.

Auto Unlock
Available for: iPhone 5s and...
Categories:

APPLE-SA-2018-9-24-2 iTunes 12.9 for Windows

17 hours 3 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-2 iTunes 12.9 for Windows

iTunes 12.9 for Windows addresses the following:

WebKit
Available for: Windows 7 and later
Impact: Unexpected interaction causes an ASSERT failure
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4191: found by OSS-Fuzz

WebKit
Available for: Windows 7 and later
Impact: Cross-origin SecurityErrors includes the accessed frame's
origin
Description: The issue...
Categories:

APPLE-SA-2018-9-24-3 Additional information for APPLE-SA-2018-9-17-4 Safari 12

17 hours 6 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-3 Additional information for
APPLE-SA-2018-9-17-4 Safari 12

Safari 12 addresses the following:

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: A user may be unable to delete browsing history items
Description: Clearing a history item may not clear visits with
redirect chains. The issue was addressed with improved data deletion.
CVE-2018-4329: Hugo S. Diaz (coldpointblue)...
Categories:

APPLE-SA-2018-9-24-1 macOS Mojave 10.14

17 hours 10 min ago

Posted by Apple Product Security on Sep 24

APPLE-SA-2018-9-24-1 macOS Mojave 10.14

macOS Mojave 10.14 is now available and addresses the following:

Bluetooth
Available for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012)
, iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac
(Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015),
Mac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012)
, Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro
(Late...
Categories:

[SECURITY] [DSA 4305-1] strongswan security update

September 24, 2018 - 9:25am

Posted by Yves-Alexis Perez on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4305-1 security () debian org
https://www.debian.org/security/ Yves-Alexis Perez
September 24, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2018-16151 CVE-2018-16152...
Categories:

[SECURITY] [DSA 4304-1] firefox-esr security update

September 24, 2018 - 3:05am

Posted by Moritz Muehlenhoff on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4304-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 23, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-12383 CVE-2018-12385...
Categories:

[SECURITY] [DSA 4303-1] okular security update

September 24, 2018 - 3:03am

Posted by Moritz Muehlenhoff on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4303-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 23, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : okular
CVE ID : CVE-2018-1000801

Joran Herve...
Categories:

[SECURITY] [DSA 4302-1] openafs security update

September 24, 2018 - 2:53am

Posted by Salvatore Bonaccorso on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4302-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 23, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openafs
CVE ID : CVE-2018-16947 CVE-2018-16948...
Categories:

[slackware-security] mozilla-firefox (SSA:2018-265-01)

September 24, 2018 - 2:50am

Posted by Slackware Security Team on Sep 24

[slackware-security] mozilla-firefox (SSA:2018-265-01)

New mozilla-firefox packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-60.2.1esr-i686-1_slack14.2.txz: Upgraded.
This release contains security fixes and improvements.
A potentially exploitable crash in TransportSecurityInfo used for SSL...
Categories:

[SECURITY] [DSA 4301-1] mediawiki security update

September 24, 2018 - 2:46am

Posted by Moritz Muehlenhoff on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4301-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 22, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : mediawiki
CVE ID : CVE-2018-0503 CVE-2018-0504...
Categories:

[SECURITY] [DSA 4300-1] libarchive-zip-perl security update

September 24, 2018 - 2:46am

Posted by Salvatore Bonaccorso on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4300-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 22, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libarchive-zip-perl
CVE ID : CVE-2018-10860
Debian...
Categories:

[slackware-security] Slackware 14.2 kernel (SSA:2018-264-01)

September 24, 2018 - 2:43am

Posted by Slackware Security Team on Sep 24

[slackware-security] Slackware 14.2 kernel (SSA:2018-264-01)

New kernel packages are available for Slackware 14.2 to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/linux-4.4.157/*: Upgraded.
This kernel removes the unnecessary vmacache_flush_all code which could have
led to a use-after-free situation and potentially local privilege escalation.
In addition, it...
Categories:

[SYSS-2018-016] Postman - Improper Certificate Validation

September 24, 2018 - 2:40am

Posted by ludwig . stage on Sep 24

Advisory ID: SYSS-2018-016
Product: Postman (standalone)
Manufacturer: Postman
Affected Version(s): 6.3.0 and older
Tested Version(s): 6.2.2 x64 (Windows and Linux), 6.3.0
Vulnerability Type: Improper Certificate Validation (CWE-295)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2018-08-01
Solution Date: -
Public Disclosure: -
CVE Reference: CVE-2018-17215
Author of Advisory: Ludwig Stage, SySS GmbH...
Categories:

[SECURITY] [DSA 4299-1] texlive-bin security update

September 24, 2018 - 2:37am

Posted by Yves-Alexis Perez on Sep 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4299-1 security () debian org
https://www.debian.org/security/ Yves-Alexis Perez
September 21, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : texlive-bin
CVE : not yet available

Nick...
Categories:

[waraxe-2018-SA#107] - Reflected XSS in FV Flowplayer Wordpress plugin

September 20, 2018 - 11:46pm

Posted by come2waraxe on Sep 20

[waraxe-2018-SA#107] - Reflected XSS in FV Flowplayer Wordpress plugin
================================================================================

Author: Janek Vind "waraxe"
Date: 20. September 2018
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-107.html

Target description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FV Player is a free, easy-to-use, and complete solution for...
Categories:

AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade

September 20, 2018 - 11:44pm

Posted by Asterisk Security Team on Sep 20

Asterisk Project Security Advisory - AST-2018-009

Product Asterisk
Summary Remote crash vulnerability in HTTP websocket upgrade
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate...
Categories:

[SECURITY] [DSA 4298-1] hylafax security update

September 20, 2018 - 11:40pm

Posted by Moritz Muehlenhoff on Sep 20

-------------------------------------------------------------------------
Debian Security Advisory DSA-4298-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 20, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : hylafax
CVE ID : CVE-2018-17141

Luis Merino,...
Categories:

OPManager SQL Injection Vulnerability

September 20, 2018 - 6:04am

Posted by Murat Aydemir on Sep 20

I. VULNERABILITY
-------------------------
OPManager version 12.3, SQL Injection vulnerability

II. CVE REFERENCE
-------------------------
CVE-2018-17243

III. VENDOR
-------------------------
https://www.manageengine.com

IV. TIMELINE
-------------------------
10/09/18 Vulnerability discovered
13/09/18 Vendor contacted
19/09/2018 OPManager replay that they fixed

V. CREDIT
-------------------------
Murat Aydemir from Biznet Bilisim A.S.

VI....
Categories: