BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 23 min 41 sec ago

APPLE-SA-2014-10-16-5 OS X Server v2.2.5

October 17, 2014 - 6:07am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-5 OS X Server v2.2.5

OS X Server v2.2.5 is now available and addresses the following:

Server
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version,...
Categories:

APPLE-SA-2014-10-16-4 OS X Server v3.2.2

October 17, 2014 - 5:59am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-4 OS X Server v3.2.2

OS X Server v3.2.2 is now available and addresses the following:

Server
Available for: OS X Mavericks v10.9.5 or later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS...
Categories:

APPLE-SA-2014-10-16-6 iTunes 12.0.1

October 17, 2014 - 5:49am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-6 iTunes 12.0.1

iTunes 12.0.1 is now available and addresses the following:

iTunes
Available for: Windows 8, Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory...
Categories:

APPLE-SA-2014-10-16-3 OS X Server v4.0

October 17, 2014 - 5:40am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-3 OS X Server v4.0

OS X Server v4.0 is now available and addresses the following:

BIND
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description: Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591

CoreCollaboration...
Categories:

APPLE-SA-2014-10-16-2 Security Update 2014-005

October 17, 2014 - 5:30am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-2 Security Update 2014-005

Security Update 2014-005 is now available and addresses the
following:

Secure Transport
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when...
Categories:

APPLE-SA-2014-10-16-1 OS X Yosemite v10.10

October 17, 2014 - 5:22am

Posted by Apple Product Security on Oct 17

APPLE-SA-2014-10-16-1 OS X Yosemite v10.10

OS X Yosemite v10.10 is now available and addresses the following:

802.1X
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods....
Categories:

[CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

October 17, 2014 - 5:11am

Posted by CORE Advisories Team on Oct 17

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

1. **Advisory Information**

Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last...
Categories:

[SECURITY] [DSA 3053-1] openssl security update

October 17, 2014 - 5:01am

Posted by Thijs Kinkhorst on Oct 17

-------------------------------------------------------------------------
Debian Security Advisory DSA-3053-1 security () debian org
http://www.debian.org/security/ Thijs Kinkhorst
October 16, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2014-3513 CVE-2014-3566...
Categories:

Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability

October 17, 2014 - 4:52am

Posted by Cisco Systems Product Security Incident Response Team on Oct 17

Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability

Advisory ID: cisco-sa-20120126-ironport

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

Revision 2.0

Last Updated 2014 October 16 13:40 UTC (GMT)

For Public Release 2012 January 26 17:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco...
Categories:

[SECURITY] [DSA 3052-1] wpa security update

October 16, 2014 - 6:11am

Posted by Michael Gilbert on Oct 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-3052-1 security () debian org
http://www.debian.org/security/ Michael Gilbert
October 15, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wpa
CVE ID : CVE-2014-3686
Debian Bug : 765352...
Categories:

[security bulletin] HPSBMU03126 rev.1 - HP Operations Manager (formerly OpenView Communications Broker), Remote Cross-site Scripting (XSS)

October 16, 2014 - 6:01am

Posted by security-alert on Oct 16

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04472444

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04472444
Version: 1

HPSBMU03126 rev.1 - HP Operations Manager (formerly OpenView Communications
Broker), Remote Cross-site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible....
Categories:

[security bulletin] HPSBHF03125 rev.1 - HP Next Generation Firewall (NGFW) running Bash Shell, Remote Code Execution

October 16, 2014 - 5:53am

Posted by security-alert on Oct 16

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04471538

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04471538
Version: 1

HPSBHF03125 rev.1 - HP Next Generation Firewall (NGFW) running Bash Shell,
Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date:...
Categories:

[slackware-security] openssl (SSA:2014-288-01)

October 16, 2014 - 5:43am

Posted by Slackware Security Team on Oct 16

[slackware-security] openssl (SSA:2014-288-01)

New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.1.txz: Upgraded.
(* Security fix *)
patches/packages/openssl-1.0.1j-i486-1_slack14.1.txz: Upgraded.
This update fixes several security...
Categories:

Bypassing blacklists based on IPy

October 16, 2014 - 5:33am

Posted by Nicolas Grégoire on Oct 16

IPy is a Python "class and tools for handling of IPv4 and IPv6 addresses
and networks" (https://github.com/haypo/python-ipy). This library is
sometimes used to implement blacklists forbidding internal, private or
loopback addresses.

Using octal encoding (supported by urllib2), it is possible to bypass
checks based on the result of the iptype() function. For example, IP
address '0177.0000.0000.0001' is considered as...
Categories:

[SECURITY] [DSA 3051-1] drupal7 security update

October 16, 2014 - 5:26am

Posted by Moritz Muehlenhoff on Oct 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-3051-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
October 15, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : drupal7
CVE ID : CVE-2014-3704

Stefan Horst...
Categories:

Cisco Security Advisory: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

October 16, 2014 - 5:18am

Posted by Cisco Systems Product Security Incident Response Team on Oct 16

Cisco Security Advisory: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

Advisory ID: cisco-sa-20141015-poodle

Revision 1.0

For Public Release 2014 October 15 17:30 UTC (GMT)

+---------------------------------------------------------------------

Summary
+======

On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when
using a block cipher in Cipher...
Categories:

Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability

October 16, 2014 - 5:07am

Posted by Stefan Horst on Oct 16

SektionEins GmbH
www.sektioneins.de

-= Security Advisory =-

Advisory: Drupal - pre-auth SQL Injection Vulnerability
Release Date: 2014/10/15
Last Modified: 2014/10/15
Author: Stefan Horst [stefan.horst[at]sektioneins.de]
Application: Drupal >= 7.0 <= 7.31
Severity: Full SQL injection, which results in total control and code execution of Website.
Risk: Highly Critical...
Categories:

Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software

October 16, 2014 - 4:58am

Posted by Cisco Systems Product Security Incident Response Team on Oct 16

Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway
Software

Advisory ID: cisco-sa-20141015-vcs

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs

Revision 1.0

For Public Release 2014 October 15 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Video...
Categories:

Cisco Security Advisory: Cisco TelePresence MCU Software Memory Exhaustion Vulnerability

October 16, 2014 - 4:50am

Posted by Cisco Systems Product Security Incident Response Team on Oct 16

Cisco Security Advisory: Cisco TelePresence MCU Software Memory Exhaustion Vulnerability

Advisory ID: cisco-sa-20141015-mcu

Revision 1.0

For Public Release 2014 October 15 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the network stack of Cisco TelePresence MCU Software could allow an unauthenticated, remote attacker
to cause the exhaustion of available memory...
Categories:

SEC Consult SA-20141015-0 :: Potential Cross-Site Scripting in ADF Faces

October 15, 2014 - 9:28am

Posted by SEC Consult Vulnerability Lab on Oct 15

SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >
=======================================================================
title: Potential Cross-Site Scripting
product: ADF Faces
vulnerable version: 12.1.2.0
fixed version: versions with CPU Oct-2014 patch applied
impact: low
homepage: http://www.oracle.com/adf
found: 2014-05-01
by: W....
Categories: