BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 1 hour 56 min ago

Novel Contributions to the field - How I broke MySQL's code-base (Part 2) [CVE-2016-5541] MySQL cluster remote 0day

20 hours 11 min ago

Posted by Nicholas Lemonias. on Jan 18

************************************************************************************
*
*
* Copyright (c) 2017, Advanced Information Security Corp / Oracle Inc. *
*
*
*
*
************************************************************************************

ABSTRACT
===========

This industry-led...
Categories:

Novel Contributions to the Field - How I broke MySQL's codebase (Part 2) [CVE-2016-5541] MySQL Cluster 0day

20 hours 19 min ago

Posted by lem . nikolas on Jan 18

**************************************************
(c) 2017 Advanced Information Security Corporation and Oracle Inc.

**************************************************

Author: Nicholas Lemonias
Date: 17/01/2017

MySQL Remote 0day / Remote Buffer Overflows in 'NDBAPI' Cluster

Full report with technical details can be obtained from:

https://www.docdroid.net/hwLnQVr/cve-2016-5541.pdf.html

(References)

[1] Oracle Critical...
Categories:

[RCESEC-2016-012] Mattermost <= 3.5.1 "/error" Unauthenticated Reflected Cross-Site Scripting / Content Injection

20 hours 27 min ago

Posted by Julien Ahrens on Jan 18

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Mattermost
Vendor URL: www.mattermost.org
Type: Cross-site Scripting [CWE-79]
Date found: 02/12/2016
Date published: 16/01/2017
CVSSv3 Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE: -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE...
Categories:

[security bulletin] HPSBMU03685 rev.1 - HPE Insight Control server provisioning (ICsp), Multiple Remote Vulnerabilities

20 hours 37 min ago

Posted by security-alert on Jan 18

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05376917

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05376917
Version: 1

HPSBMU03685 rev.1 - HPE Insight Control server provisioning (ICsp), Multiple
Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-01-18
Last...
Categories:

ESA-2016-161: EMC Isilon OneFS LDAP Injection Vulnerability

January 18, 2017 - 10:59am

Posted by EMC Product Security Response Center on Jan 18

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2016-161: EMC Isilon OneFS LDAP Injection Vulnerability

EMC Identifier: ESA-2016-161

CVE Identifier: CVE-2016-9870

Severity Rating: CVSS v3 Base Score: 6.0 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

Affected products:
• EMC Isilon OneFS 8.0.0.0
• EMC Isilon OneFS 7.2.1.0 - 7.2.1.2
• EMC Isilon OneFS 7.2.0.x
• EMC Isilon OneFS 7.1.1.0 - 7.1.1.10
• EMC Isilon...
Categories:

ESA-2016-143: EMC Documentum Webtop and Clients Stored Cross-Site Scripting Vulnerability

January 18, 2017 - 10:49am

Posted by EMC Product Security Response Center on Jan 18

ESA-2016-143: EMC Documentum Webtop and Clients Stored Cross-Site Scripting Vulnerability

EMC Identifier: ESA-2016-143
CVE Identifier: CVE-2016-8213
Severity Rating: CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L)

Affected products:
• EMC Documentum Webtop –
o Version 6.8, prior to P18
o Version 6.8.1, prior to P06
• EMC Documentum TaskSpace version 6.7SP3, prior to P02
• EMC Documentum Capital...
Categories:

[SECURITY] CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

January 16, 2017 - 2:32pm

Posted by Joe Witt on Jan 16

CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache NiFi 1.0.0
Apache NiFi 1.1.0

Description: There is a cross-site scripting vulnerability in
connection details dialog when accessed by an authorized user. The
user supplied text was not be properly handled when added to the DOM.

Mitigation:
1.0.0 users should upgrade to 1.0.1 or 1.1.1....
Categories:

[SECURITY] [DSA 3743-2] python-bottle regression update

January 16, 2017 - 3:51am

Posted by Sebastien Delafond on Jan 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-3743-2 security () debian org
https://www.debian.org/security/ Sebastien Delafond
January 15, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : python-bottle
Debian Bug : 850176

The update for...
Categories:

[SECURITY] [DSA 3765-1] icoutils security update

January 16, 2017 - 3:45am

Posted by Salvatore Bonaccorso on Jan 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-3765-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
January 14, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : icoutils
CVE ID : CVE-2017-5331 CVE-2017-5332...
Categories:

[security bulletin] HPSBGN03689 rev.1 - HPE Diagnostics, Remote Cross-Site Scripting and Click Jacking

January 16, 2017 - 3:36am

Posted by security-alert on Jan 16

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05370100

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05370100
Version: 1

HPSBGN03689 rev.1 - HPE Diagnostics, Remote Cross-Site Scripting and Click
Jacking

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-01-13
Last Updated:...
Categories:

[security bulletin] HPSBST03671 rev.2 - HPE StoreEver MSL6480 Tape Library Management Interface, Multiple Remote Vulnerabilities

January 16, 2017 - 3:26am

Posted by security-alert on Jan 16

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05333297

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05333297
Version: 2

HPSBST03671 rev.2 - HPE StoreEver MSL6480 Tape Library Management Interface,
Multiple Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date:...
Categories:

[SECURITY] [DSA 3764-1] pdns security update

January 16, 2017 - 3:16am

Posted by Salvatore Bonaccorso on Jan 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-3764-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2016-2120 CVE-2016-7068...
Categories:

[security bulletin] HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information

January 13, 2017 - 12:25am

Posted by security-alert on Jan 12

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05369403

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05369403
Version: 1

HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-01-12
Last Updated: 2017-01-12

Potential...
Categories:

ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

January 12, 2017 - 11:56am

Posted by Fernando Gont on Jan 12

Folks,

I'm curious about whether folks are filtering ICMPv6 PTB<1280
and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
welcome).

In any case, you mind find it worth reading to check if you're affected
(from Section 2 of recently-published RFC8021):

---- cut here ----
The security implications of IP fragmentation have been discussed at
length in [RFC6274] and [RFC7739]. An attacker can leverage the...
Categories:

[SECURITY] [DSA 3760-1] ikiwiki security update

January 12, 2017 - 10:19am

Posted by Moritz Muehlenhoff on Jan 12

-------------------------------------------------------------------------
Debian Security Advisory DSA-3760-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 12, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ikiwiki
CVE ID : CVE-2016-9646 CVE-2016-10026...
Categories:

CVE-2017-5350: Unexpected SystemUI FC driven by arbitrary application

January 12, 2017 - 7:24am

Posted by unlimitsec on Jan 12

Description of the potential vulnerability:Lack of appropriate exception handling in some applications allows attackers
to make a systemUI crash easily resulting in a possible DoS attack
Affected versions: L(5.0/5.1), M(6.0), and N(7.0)
Disclosure status: Privately disclosed.
The patch prevents systemUI crashes by handling unexpected exceptions.

Fix:
http://security.samsungmobile.com/smrupdate.html#SMR-JAN-2017
SVE-2016-7122: Unexpected...
Categories:

[slackware-security] bind (SSA:2017-011-01)

January 12, 2017 - 6:20am

Posted by Slackware Security Team on Jan 12

[slackware-security] bind (SSA:2017-011-01)

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/bind-9.10.4_P5-i586-1_slack14.2.txz: Upgraded.
This update fixes a denial-of-service vulnerability. An error in handling
certain queries can cause an assertion failure when a...
Categories:

[slackware-security] gnutls (SSA:2017-011-02)

January 12, 2017 - 6:10am

Posted by Slackware Security Team on Jan 12

[slackware-security] gnutls (SSA:2017-011-02)

New gnutls packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/gnutls-3.5.8-i586-1_slack14.2.txz: Upgraded.
This update fixes some bugs and security issues.
For more information, see:
https://gnutls.org/security.html#GNUTLS-SA-2017-1...
Categories: