BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 58 min 22 sec ago

[SECURITY] [DSA 4209-1] thunderbird security update

May 25, 2018 - 1:26am

Posted by Moritz Muehlenhoff on May 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4209-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 25, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2018-5150 CVE-2018-5154...
Categories:

[SECURITY] [DSA 4210-1] xen security update

May 25, 2018 - 1:23am

Posted by Moritz Muehlenhoff on May 24

-------------------------------------------------------------------------
Debian Security Advisory DSA-4210-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 25, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2018-3639

This update provides...
Categories:

Ruckus (Brocade) ICX7450-48 Reflected Cross Site Scripting

May 25, 2018 - 1:21am

Posted by Yavuz Atlas on May 24

I. VULNERABILITY
-------------------------
Ruckus (Brocade) ICX7450-48 Reflected Cross Site Scripting

II. CVE REFERENCE
-------------------------
CVE-2018-11027

III. VENDOR HOMEPAGE
-------------------------
https://www.ruckuswireless.com

IV. DESCRIPTION
-------------------------
Ruckus (Brocade) ICX7450-48 web application has a reflected cross-site
scripting vulnerability. A successful exploit could allow the attacker
to execute arbitrary...
Categories:

Android OS Didnt use FLAG_SECURE for Sensitive Settings [CVE-2017-13243]

May 25, 2018 - 1:19am

Posted by research on May 24

[Blog post here:
https://wwws.nightwatchcybersecurity.com/2018/05/24/android-os-didnt-use-flag_secure-for-sensitive-settings-cve-2017-13243/]

SUMMARY

Android OS did not use the FLAG_SECURE flag for sensitive settings,
potentially exposing sensitive data to other applications on the same
device with the screen capture permissions. The vendor (Google) fixed
this issue in 2018-02-01 Pixel security update. Google has assigned
CVE-2017-13243 to...
Categories:

PHP Login & User Management <= 4.1.0 - Arbitrary File Upload (CVE-2018-11392)

May 24, 2018 - 2:05am

Posted by reggie . dodd30 on May 24

[Title]
PHP Login & User Management <= 4.1.0 - Arbitrary File Upload (CVE-2018-11392)

[Product]
PHP Login & User Management
https://codecanyon.net/item/php-login-user-management/49008

[CVE]
CVE-2018-11392

[Credit]
Reginald Dodd

[Description]
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before
4.1.1, as distributed in the Envato Market, allows any...
Categories:

[security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting

May 23, 2018 - 10:42am

Posted by cyber-psrt on May 23

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03164778

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03164778
Version: 1

MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-23
Last Updated: 2018-05-23

Potential Security...
Categories:

[CVE-2018-8013] Apache Batik information disclosure vulnerability

May 23, 2018 - 9:30am

Posted by Simon Steiner on May 23

CVE-2018-8013:
Apache Batik information disclosure vulnerability

Severity:
Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Batik 1.0 - 1.9.1

Description:
When deserializing subclass of `AbstractDocument`, the class takes a
string from the inputStream as the class name which then use it to call the
no-arg constructor of the class.
Fix was to check the class type before calling...
Categories:

[slackware-security] mozilla-thunderbird (SSA:2018-142-02)

May 23, 2018 - 3:45am

Posted by Slackware Security Team on May 23

[slackware-security] mozilla-thunderbird (SSA:2018-142-02)

New mozilla-thunderbird packages are available for Slackware 14.2 and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-52.8.0-i586-1_slack14.2.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...
Categories:

K2 smartforms runtime application - 4.6.11 SSRF

May 23, 2018 - 3:45am

Posted by fuming22 on May 23

# Vulnerability type: Server Side Request Forgery
# Vendor: https://www.k2.com/
# Product: K2 Smartforms
# Affected version: 4.6.11
# Credit: Foo Jong Meng
# CVE ID: CVE-2018-9920

# DESCRIPTION:

Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an
https://*/Identity/STS/Forms/Scripts URL.

By replacing the "GET" parameter to any external domain (i.e....
Categories:

[SECURITY] [DSA 4208-1] procps security update

May 23, 2018 - 3:37am

Posted by Salvatore Bonaccorso on May 23

-------------------------------------------------------------------------
Debian Security Advisory DSA-4208-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : procps
CVE ID : CVE-2018-1122 CVE-2018-1123...
Categories:

[slackware-security] procps-ng (SSA:2018-142-03)

May 23, 2018 - 3:30am

Posted by Slackware Security Team on May 23

[slackware-security] procps-ng (SSA:2018-142-03)

New procps-ng packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/procps-ng-3.3.15-i586-1_slack14.2.txz: Upgraded.
Shared library .so-version bump.
This update fixes bugs and security issues:
library: Fix integer overflow and LPE in file2strvec
library: Use...
Categories:

[slackware-security] Slackware 14.2 kernel (SSA:2018-142-01)

May 23, 2018 - 3:21am

Posted by Slackware Security Team on May 23

[slackware-security] Slackware 14.2 kernel (SSA:2018-142-01)

New kernel packages are available for Slackware 14.2 to fix a regression in the
getsockopt() function and to fix two denial-of-service security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/linux-4.4.132/*: Upgraded.
This kernel upgrade is being provided primarily to fix a regression in the
getsockopt() function,...
Categories:

[SECURITY] [DSA 4207-1] packagekit security update

May 23, 2018 - 3:14am

Posted by Salvatore Bonaccorso on May 23

-------------------------------------------------------------------------
Debian Security Advisory DSA-4207-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : packagekit
CVE ID : CVE-2018-1106
Debian Bug :...
Categories:

[SECURITY] [DSA 4206-1] gitlab security update

May 22, 2018 - 1:35am

Posted by Moritz Muehlenhoff on May 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4206-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 21, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : gitlab
CVE ID : CVE-2017-0920 CVE-2018-8971...
Categories:

Qualys Security Advisory - Procps-ng Audit Report

May 21, 2018 - 8:30am

Posted by Qualys Security Advisory on May 21

Qualys Security Advisory

Procps-ng Audit Report

========================================================================
Contents
========================================================================

Summary
1. FUSE-backed /proc/PID/cmdline
2. Unprivileged process hiding
3. Local Privilege Escalation in top (Low Impact)
4. Denial of Service in ps
5. Local Privilege Escalation in libprocps (High Impact)
5.1. Vulnerability
5.2....
Categories:

[SECURITY] [DSA 4205-1] Advance notification for upcoming end-of-life for

May 21, 2018 - 5:11am

Posted by Moritz Muehlenhoff on May 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4205-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

This is an advance notice that regular security support for Debian
GNU/Linux...
Categories:

[SECURITY] [DSA 4204-1] imagemagick security update

May 21, 2018 - 4:38am

Posted by Sebastien Delafond on May 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4204-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
May 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2017-10995 CVE-2017-11533...
Categories:

[SYSS-2018-007] ILIAS e-Learning - Reflected Cross-Site-Scripting

May 21, 2018 - 4:34am

Posted by Moritz Bechler on May 21

Advisory ID: SYSS-2018-007
Product: ILIAS
Affected Version(s): 5.3.2, 5.2.14, 5.1.25
Tested Version(s): 5.3.2, 5.2.12
Vulnerability Type: Reflected Cross-Site-Scripting
Risk Level: MEDIUM
Solution Status: Fixed
Manufacturer Notification: 2018-03-29
Solution Date: 2018-04-25
Public Disclosure: 2018-05-18
CVE Reference: CVE-2018-10428
Author of Advisory: Moritz Bechler, SySS GmbH...
Categories:

MagniComp SysInfo Information Exposure [CVE-2018-7268]

May 18, 2018 - 2:18am

Posted by Harry Sintonen on May 18

MagniComp SysInfo Information Exposure [CVE-2018-7268]
======================================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/magnicomp-sysinfo-information-exposure.txt

Overview
--------

MagniComp SysInfo contains a information exposure vulnerability through debug
functionality.

Description
-----------

Due to a combination of setuid binary and verbose debugging, MagniComp...
Categories:

[SECURITY] [DSA 4203-1] vlc security update

May 18, 2018 - 2:12am

Posted by Moritz Muehlenhoff on May 18

-------------------------------------------------------------------------
Debian Security Advisory DSA-4203-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 17, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : vlc
CVE ID : CVE-2017-17670

Hans Jerry Illikainen...
Categories: