BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 23 min 9 sec ago

Re: Multiple Vulnerabilities with Aztech Modem Routers

September 19, 2014 - 12:29pm

Posted by Federick Joe P Fajardo on Sep 19

The following CVE's have been assigned for this issues:

CVE-2014-6435 - Potential DoS attack
Link to OSVDB ID: 111432 - http://osvdb.org/show/osvdb/111432

CVE-2014-6436 - Broken Session Management
Link to OSVDB ID: 111433 - http://osvdb.org/show/osvdb/111433

CVE-2014-6437 - File and Data Exposure
Link to OSVDB ID: 111434 - http://osvdb.org/show/osvdb/111434
Link to OSVDB ID: 111435 - http://osvdb.org/show/osvdb/111435

09/01/2014 -...
Categories:

[SECURITY] [DSA 3025-2] apt regression update

September 19, 2014 - 7:00am

Posted by Salvatore Bonaccorso on Sep 19

-------------------------------------------------------------------------
Debian Security Advisory DSA-3025-2 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
September 18, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : apt
Debian Bug : 762079

The previous update for apt,...
Categories:

AST-2014-010: Remote crash when handling out of call message in certain dialplan configurations

September 19, 2014 - 6:52am

Posted by Asterisk Security Team on Sep 19

Asterisk Project Security Advisory - AST-2014-010

Product Asterisk
Summary Remote crash when handling out of call message in
certain dialplan configurations
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions...
Categories:

AST-2014-009: Remote crash based on malformed SIP subscription requests

September 19, 2014 - 6:43am

Posted by Asterisk Security Team on Sep 19

Asterisk Project Security Advisory - AST-2014-009

Product Asterisk
Summary Remote crash based on malformed SIP subscription
requests
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions...
Categories:

CVE ID Syntax Change - Deadline Approaching

September 19, 2014 - 6:33am

Posted by Christey, Steven M. on Sep 19

As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed). Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the...
Categories:

APPLE-SA-2014-09-17-7 Xcode 6.0.1

September 19, 2014 - 6:21am

Posted by Apple Product Security on Sep 19

APPLE-SA-2014-09-17-7 Xcode 6.0.1

Xcode 6.0.1 is now available and addresses the following:

subversion
Available for: OS X Mavericks v10.9.4 or later
Impact: A malicious attacker may be able to cause Subversion
to terminate unexpectedly
Description: A denial of service issue existed in Subversion when
SVNListParentPath was enabled. This issue was addressed by updating
Subversion to version 1.7.17.
CVE-ID
CVE-2014-0032

Xcode 6.0.1 may be...
Categories:

Oracle Corporation MyOracle - Persistent Vulnerability

September 19, 2014 - 6:12am

Posted by Vulnerability Lab on Sep 19

Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin () vulnerability-lab com-001:2014

http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporation-fixed-vulnerability-myoracle-online-service-application

Release Date:
=============
2014-09-17...
Categories:

Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw

September 19, 2014 - 6:01am

Posted by VSR Advisories on Sep 19

VSR Security Advisory
http://www.vsecurity.com/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
Release Date: 2014-09-17
Application: Apple iOS Foundation Framework
Apple OS X Foundation Framework
Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4
Severity: High
Author:...
Categories:

Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw

September 19, 2014 - 5:53am

Posted by VSR Advisories on Sep 19

hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible...
Categories:

APPLE-SA-2014-09-17-6 OS X Server 2.2.3

September 19, 2014 - 5:41am

Posted by Apple Product Security on Sep 19

APPLE-SA-2014-09-17-6 OS X Server 2.2.3

OS X Server 2.2.3 is now available and addresses the following:

CoreCollaboration
Available for: OS X Mountain Lion v10.8.5
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad () securation com) of CERT of...
Categories:

APPLE-SA-2014-09-17-5 OS X Server 3.2.1

September 19, 2014 - 5:32am

Posted by Apple Product Security on Sep 19

APPLE-SA-2014-09-17-5 OS X Server 3.2.1

OS X Server 3.2.1 is now available and addresses the following:

CoreCollaboration
Available for: OS X Mavericks v10.9.5 or later
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad () securation com) of CERT of...
Categories:

APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004

September 19, 2014 - 5:24am

Posted by Apple Product Security on Sep 19

APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update
2014-004

OS X Mavericks 10.9.5 and Security Update 2014-004 are now available
and address the following:

apache_mod_php
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: Multiple vulnerabilities in PHP 5.4.24
Description: Multiple vulnerabilities existed in PHP 5.4.24, the
most serious of which may have led to arbitrary code execution. This
update addresses the issues by...
Categories:

APPLE-SA-2014-09-17-4 Safari 6.2 and Safari 7.1

September 19, 2014 - 5:14am

Posted by Apple Product Security on Sep 19

APPLE-SA-2014-09-17-4 Safari 6.2 and Safari 7.1

Safari 6.2 and Safari 7.1 are now available and address the
following:

Safari
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: An attacker with a privileged network position may intercept
user credentials
Description: Saved passwords were autofilled on http sites, on https
sites with broken trust, and in iframes. This issue was addressed by
restricting password autofill...
Categories:

CVE ID Syntax Change - Deadline Approaching

September 19, 2014 - 5:05am

Posted by Christey, Steven M. on Sep 19

As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed). Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the...
Categories:

[SECURITY] [DSA 3028-1] icedove security update

September 19, 2014 - 4:56am

Posted by Moritz Muehlenhoff on Sep 19

-------------------------------------------------------------------------
Debian Security Advisory DSA-3028-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
September 17, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2014-1562 CVE-2014-1567...
Categories:

[SECURITY] [DSA 3027-1] libav security update

September 19, 2014 - 4:45am

Posted by Moritz Muehlenhoff on Sep 19

-------------------------------------------------------------------------
Debian Security Advisory DSA-3027-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
September 17, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libav
CVE ID : CVE-2013-7020

Several security...
Categories:

APPLE-SA-2014-09-17-2 Apple TV 7

September 17, 2014 - 1:35pm

Posted by Apple Product Security on Sep 17

APPLE-SA-2014-09-17-2 Apple TV 7

Apple TV 7 is now available and addresses the following:

Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported...
Categories:

APPLE-SA-2014-09-17-1 iOS 8

September 17, 2014 - 1:23pm

Posted by Apple Product Security on Sep 17

APPLE-SA-2014-09-17-1 iOS 8

iOS 8 is now available and addresses the following:

802.1X
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if...
Categories:

Reflected Cross-Site Scripting (XSS) in MODX Revolution

September 17, 2014 - 1:12pm

Posted by High-Tech Bridge Security Research on Sep 17

Advisory ID: HTB23229
Product: MODX Revolution
Vendor: MODX
Vulnerable Version(s): 2.3.1-pl and probably prior
Tested Version: 2.3.1-pl
Advisory Publication: August 20, 2014 [without technical details]
Vendor Notification: August 20, 2014
Vendor Patch: September 11, 2014
Public Disclosure: September 17, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5451
Risk Level: Low
CVSSv2 Base Score: 2.6...
Categories:

Path Traversal in webEdition

September 17, 2014 - 1:00pm

Posted by High-Tech Bridge Security Research on Sep 17

Advisory ID: HTB23227
Product: webEdition
Vendor: webEdition e.V.
Vulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior
Tested Version: 6.3.8.0 (SVN-Revision: 6985)
Advisory Publication: August 6, 2014 [without technical details]
Vendor Notification: August 6, 2014
Vendor Patch: September 4, 2014
Public Disclosure: September 17, 2014
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2014-5258
Risk Level:...
Categories: