BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 19 min 42 sec ago

MagniComp SysInfo Information Exposure [CVE-2018-7268]

May 18, 2018 - 2:18am

Posted by Harry Sintonen on May 18

MagniComp SysInfo Information Exposure [CVE-2018-7268]
======================================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/magnicomp-sysinfo-information-exposure.txt

Overview
--------

MagniComp SysInfo contains a information exposure vulnerability through debug
functionality.

Description
-----------

Due to a combination of setuid binary and verbose debugging, MagniComp...
Categories:

[SECURITY] [DSA 4203-1] vlc security update

May 18, 2018 - 2:12am

Posted by Moritz Muehlenhoff on May 18

-------------------------------------------------------------------------
Debian Security Advisory DSA-4203-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 17, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : vlc
CVE ID : CVE-2017-17670

Hans Jerry Illikainen...
Categories:

[slackware-security] curl (SSA:2018-136-01)

May 17, 2018 - 4:46am

Posted by Slackware Security Team on May 17

[slackware-security] curl (SSA:2018-136-01)

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/curl-7.60.0-i586-1_slack14.2.txz: Upgraded.
This release contains security fixes:
FTP: shutdown response buffer overflow
RTSP: bad headers buffer over-read
For more information, see:...
Categories:

[slackware-security] php (SSA:2018-136-02)

May 17, 2018 - 4:38am

Posted by Slackware Security Team on May 17

[slackware-security] php (SSA:2018-136-02)

New php packages are available for Slackware 14.0, 14.1, and 14.2 to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/php-5.6.36-i586-1_slack14.2.txz: Upgraded.
This fixes many bugs, including some security issues:
Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
stream filter convert.iconv leads to infinite loop...
Categories:

[SECURITY] [DSA 4202-1] curl security update

May 16, 2018 - 9:28pm

Posted by Alessandro Ghedini on May 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-4202-1 security () debian org
https://www.debian.org/security/ Alessandro Ghedini
May 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000301
Debian Bug :...
Categories:

CVE-2018-11101: Signal-desktop HTML tag injection variant 2

May 16, 2018 - 9:27pm

Posted by Alfredo Ortega on May 16

Title: Signal-desktop HTML tag injection variant 2

Date Published: 2018-05-16

Last Update: 2018-05-16

CVE Name: CVE-2018-11101

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted: Signal.org

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure
Signal messenger. This software is vulnerable to remote code execution
from a malicious contact, by sending a specially...
Categories:

SEC Consult SA-20180516-0 :: XXE & XSS vulnerabilities in RSA Authentication Manager

May 16, 2018 - 9:18pm

Posted by SEC Consult Vulnerability Lab on May 16

SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
=======================================================================
title: XXE & XSS vulnerabilities
product: RSA Authentication Manager
vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
fixed version: 8.3 P1 and later
CVE number: CVE-2018-1247
impact: High
homepage: https://www.rsa.com...
Categories:

[SECURITY] [DSA 4201-1] xen security update

May 15, 2018 - 11:04pm

Posted by Moritz Muehlenhoff on May 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-4201-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 15, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2018-8897 CVE-2018-10471...
Categories:

CSNC-2018-003 totemomail Encryption Gateway - Cross-Site Request Forgery

May 15, 2018 - 5:12am

Posted by Advisories on May 15

################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-003
# CVE ID: CVE-2018-6563
# Subject: Cross-Site Request Forgery
# Risk: High
# Effect: Remotely...
Categories:

CSNC-2018-002 totemomail Encryption Gateway - JSONP hijacking

May 15, 2018 - 5:11am

Posted by Advisories on May 15

################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-002
# CVE ID: CVE-2018-6562
# Subject: JSONP hijacking
# Risk: High
# Effect: Remotely exploitable
#...
Categories:

Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

May 15, 2018 - 5:00am

Posted by SEC Consult Vulnerability Lab on May 15

The following CVE numbers have been assigned now:
XSS issue: CVE-2018-11090
Arbitrary File Upload: CVE-2018-11091
Categories:

CVE-2018-10994: HTML tag injection in Signal-desktop

May 14, 2018 - 11:14pm

Posted by Alfredo Ortega on May 14

Title: HTML tag injection in Signal-desktop

Date Published: 14-05-2018

CVE Name: CVE-2018-10994

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted: Signal.org

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure Signal
messenger.
This software is vulnerable to remote code execution from a malicious
contact,
by sending a specially crafted message containing HTML...
Categories:

[SECURITY] [DSA 4200-1] kwallet-pam security update

May 14, 2018 - 11:10pm

Posted by Moritz Muehlenhoff on May 14

-------------------------------------------------------------------------
Debian Security Advisory DSA-4200-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : kwallet-pam
CVE ID : CVE-2018-10380

Fabian Vogt...
Categories:

SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

May 14, 2018 - 9:09am

Posted by SEC Consult Vulnerability Lab on May 14

SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
=======================================================================
title: Arbitrary File Upload & Cross-site scripting
product: MyBiz MyProcureNet
vulnerable version: 5.0.0
fixed version: unknown
CVE number: -
impact: Critical
homepage: http://www.mybiz.net/
found: 2018-01-29...
Categories:

Vulnerabilities in IBMs Flashsystems and Storwize Products

May 14, 2018 - 2:44am

Posted by Sebastian Neuner on May 14

Vulnerabilities in IBMs Flashsystems and Storwize Products
-------------------------------------------------------------------------

Introduction
============
Vulnerabilities were identified in the IBM Flashsystem 840, IBM Flashsystem
900 and IBM Storwize V7000. These were discovered during a black box
assessment and therefore the vulnerability list should not be considered
exhaustive; observations suggest that it is likely that further...
Categories: