BugTraq Latest Security Advisories

Posted by Slackware Security Team on May 21

[slackware-security] kernel (SSA:2013-140-01)

New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix
a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/linux-3.2.45/*: Upgraded.
Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local
users to gain a root shell. Be sure to upgrade your initrd and reinstall
LILO after upgrading...

Posted by Vulnerability Lab on May 21

Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Date:
=====
2013-05-12

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767

VL-ID:
=====
767

Common Vulnerability Scoring System:
====================================
6.5

Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
PlayStation 2 as part of the...

Posted by chudakovma on May 21

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk,
Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (@MChudakov)
Andrey Kurtasanov(andreykurtasanov () gmail com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and...

Posted by Fernando Gont on May 21

Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news...

Posted by Stefan Kanthak on May 21

Hi @ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path...

Posted by aure on May 21

NIST is preparing the fifth Static Analysis Tool Exposition (SATE V). Briefly, participating tool makers run their
static analyzer on a set of programs. Researchers led by NIST analyze the tool reports and present the results and
experiences at a workshop. A detailed plan is available at:

http://samate.nist.gov/SATE.html

We plan to provide test cases by June 3rd. Tool makers will have until August 1st (if at all possible; September 1st at...

Posted by Sławomir Jabs on May 17

Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

Posted by Slackware Security Team on May 17

[slackware-security] ruby (SSA:2013-136-02)

New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current
to fix a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/ruby-1.9.3_p429-i486-1_slack14.0.txz: Upgraded.
This update fixes a security issue in DL and Fiddle included in Ruby where
tainted strings can be used by system calls regardless of the $SAFE...

Posted by Slackware Security Team on May 17

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

New mozilla-thunderbird packages are available for Slackware64 13.37 and
14.0. These were accidentally omitted from the last upload.

Here are the details from the Slackware64 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-17.0.6-x86_64-1_slack14.0.txz: Upgraded.
Here's the package that was missing from the last batch. The...

Posted by Apple Product Security on May 17

APPLE-SA-2013-05-16-1 iTunes 11.0.3

iTunes 11.0.3 is now available and addresses the following:

iTunes
Available for: Mac OS X v10.6.8 or later, Windows 7, Vista,
XP SP2 or later
Impact: An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description: A certificate validation issue existed in iTunes. In
certain contexts, an active network attacker could...

Posted by Security Alert on May 16

ESA-2013-029: RSA SecurID Sensitive Information Disclosure Vulnerability

EMC Identifier: ESA-2013-029

CVE Identifier: CVE-2013-0941

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Affected Products:

RSA Authentication API versions prior to 8.1 SP1

RSA Web Agent for Apache Web Server versions prior to 5.3.5

RSA Web Agent for IIS versions prior to 5.3.5

RSA PAM Agent versions prior to 7.0

RSA Agent for Microsoft...

Posted by Security Alert on May 16

ESA-2013-041: EMC VNX and Celerra Control Station Elevation of Privilege Vulnerability

EMC Identifier: ESA-2013-041

CVE Identifier: CVE-2013-3270

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Affected products:

• EMC VNX Control Station versions prior 7.1.70.2
• EMC Celerra Control Station versions prior 6.0.70.1

Summary:

A vulnerability exists in EMC VNX and EMC Celerra Control Station that...

Posted by Slackware Security Team on May 16

[slackware-security] mozilla-thunderbird (SSA:2013-135-02)

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,
and -current to fix security issues.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-17.0.6-i486-1_slack14.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...

Posted by Slackware Security Team on May 16

[slackware-security] mozilla-firefox (SSA:2013-135-01)

New mozilla-firefox packages are available for Slackware 13.37, 14.0,
and -current to fix security issues.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-21.0-i486-1_slack14.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...

Posted by dann frazier on May 16

----------------------------------------------------------------------
Debian Security Advisory DSA-2669-1 security () debian org
http://www.debian.org/security/ Dann Frazier
May 15, 2013 http://www.debian.org/security/faq
----------------------------------------------------------------------

Package : linux
Vulnerability : privilege escalation/denial of service/information...

Posted by Cisco Systems Product Security Incident Response Team on May 15

Cisco Security Advisory: Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability

Advisory ID: cisco-sa-20130515-mse

Revision 1.0

For Public Release 2013 May 15 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to
cause high CPU utilization and a reload of the...

Posted by advisory on May 15

Advisory ID: HTB23154
Product: Exponent CMS
Vendor: Online Innovative Creations
Vulnerable Version(s): 2.2.0 beta 3 and probably prior
Tested Version: 2.2.0 beta 3
Vendor Notification: April 24, 2013
Vendor Patch: May 3, 2013
Public Disclosure: May 15, 2013
Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]
CVE References: CVE-2013-3294, CVE-2013-3295
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P),...

Posted by security on May 15

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:165
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : firefox
Date : May 15, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple...

Posted by security-alert on May 15

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03714526

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03714526
Version: 3

HPSBUX02859 SSRT101144 rev.3 - HP-UX Running XNTP, Remote Denial of Service
(DoS) and Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible....

Posted by dann frazier on May 15

----------------------------------------------------------------------
Debian Security Advisory DSA-2668-1 security () debian org
http://www.debian.org/security/ Dann Frazier
May 14, 2013 http://www.debian.org/security/faq
----------------------------------------------------------------------

Package : linux-2.6
Vulnerability : privilege escalation/denial of...