FreeBSD Security Advisory FreeBSD-SA-13:10.sctp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:10.sctp Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sctp(4) Category: core Module: sctp Announced: 2013-08-22 Credits:Julian Seward, Michael Tuexen Affects:All supported versions of FreeBSD. Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-5209 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer. II. Problem Description When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. III. Impact Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted. This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include an user-entered password. IV. Workaround No workaround is available, but systems not using the SCTP protocol are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254354 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254352 releng/9.1/ r254631 releng/9.2/ r254355 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5209 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlIVY1YACgkQFdaIBMps37L0AQCgh30FZd+f+rmzMabRFkTPVEmX tZgAnRuZptKgvlHkqnEhUj30tH6xLDCO =KJ8k -END PGP SIGNATURE-
[slackware-security] poppler (SSA:2013-233-03)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] poppler (SSA:2013-233-03) New poppler packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/poppler-0.20.2-i486-2_slack14.0.txz: Rebuilt. Sanitize error messages to remove escape sequences that could be used to exploit vulnerable terminal emulators. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/poppler-0.20.2-i486-2_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/poppler-0.20.2-x86_64-2_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/poppler-0.24.0-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/poppler-0.24.0-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: d942a0c604b8993fbb61e9d4998b45b1 poppler-0.20.2-i486-2_slack14.0.txz Slackware x86_64 14.0 package: 47815fae9ed706eb9ff3ca0074713175 poppler-0.20.2-x86_64-2_slack14.0.txz Slackware -current package: 95eea9252862f96a3005bbbe0b0da637 l/poppler-0.24.0-i486-1.txz Slackware x86_64 -current package: a78aedabb80d5772cae65db530cd2a74 l/poppler-0.24.0-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg poppler-0.20.2-i486-2_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIVDjwACgkQakRjwEAQIjNn9ACgkzcRW3wbp+jyQDWkbiG8eNMk Oy0AniGtWG8fUTtu+18pEGgxX4hTAG2b =CVyQ -END PGP SIGNATURE-
[slackware-security] hplip (SSA:2013-233-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] hplip (SSA:2013-233-01) New hplip packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/hplip-3.12.9-i486-2_slack14.0.txz: Rebuilt. This update fixes a stack-based buffer overflow in the hpmud_get_pml function that can allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SNMP response with a large length value. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/hplip-2.8.4-i486-2_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/hplip-2.8.10-i486-2_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/hplip-3.9.4b-i486-3_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/hplip-3.9.4b-x86_64-3_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/hplip-3.10.2-i486-3_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/hplip-3.10.2-x86_64-3_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/hplip-3.11.3a-i486-2_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/hplip-3.11.3a-x86_64-2_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/hplip-3.12.9-i486-2_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/hplip-3.12.9-x86_64-2_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/hplip-3.13.8-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/hplip-3.13.8-x86_64-1.txz MD5 signatures: +-+ Slackware 12.1 package: 8be191cbea266c3b066a62fd4a7abe1b hplip-2.8.4-i486-2_slack12.1.tgz Slackware 12.2 package: 1147954a0ba115c0ec7d790728c573b8 hplip-2.8.10-i486-2_slack12.2.tgz Slackware 13.0 package: 7059a1a3e5fb4da48f2f86e3c925b66f hplip-3.9.4b-i486-3_slack13.0.txz Slackware x86_64 13.0 package: 70b47d8cdfb8a650151cb92e23f911b4 hplip-3.9.4b-x86_64-3_slack13.0.txz Slackware 13.1 package: b7300bba42910ff7d2aa3e1de42f1913 hplip-3.10.2-i486-3_slack13.1.txz Slackware x86_64 13.1 package: 232acad880099cc2e710410298186e30 hplip-3.10.2-x86_64-3_slack13.1.txz Slackware 13.37 package: 6c9932b7addeb655d5220b284efb80ba hplip-3.11.3a-i486-2_slack13.37.txz Slackware x86_64 13.37 package: ae324888a574a7cca90aec0bcecdeab7 hplip-3.11.3a-x86_64-2_slack13.37.txz Slackware 14.0 package: 5a5965bab3aca2e1692a6e4094d9cac8 hplip-3.12.9-i486-2_slack14.0.txz Slackware x86_64 14.0 package: 1e5ba160ad52ba773fbd6c2624c34bac hplip-3.12.9-x86_64-2_slack14.0.txz Slackware -current package: 8565a3e57d21a0d7579dfba4c2d48d44 ap/hplip-3.13.8-i486-1.txz Slackware x86_64 -current package: 5e6e5a133ed1623084ca2841b203093d ap/hplip-3.13.8-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg hplip-3.12.9-i486-2_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. |
[slackware-security] xpdf (SSA:2013-233-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] xpdf (SSA:2013-233-02) New xpdf packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/xpdf-3.03-i486-1_slack14.0.txz: Upgraded. Sanitize error messages to remove escape sequences that could be used to exploit vulnerable terminal emulators. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142 Thanks to mancha. (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/xpdf-3.03-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/xpdf-3.03-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/xpdf-3.03-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/xpdf-3.03-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/xpdf-3.03-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/xpdf-3.03-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/xpdf-3.03-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/xpdf-3.03-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/xpdf-3.03-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/xpdf-3.03-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/xpdf-3.03-i486-3.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/xpdf-3.03-x86_64-3.txz MD5 signatures: +-+ Slackware 12.1 package: d98942c697d3fd10d89535155c67bbeb xpdf-3.03-i486-1_slack12.1.tgz Slackware 12.2 package: 1ea3172cd34a213fcee1c54f55628b37 xpdf-3.03-i486-1_slack12.2.tgz Slackware 13.0 package: f50ec6ccf0fe3c49096fce0ece553fa1 xpdf-3.03-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 47652a6e1ac5ec53694766359584ffa6 xpdf-3.03-x86_64-1_slack13.0.txz Slackware 13.1 package: 7f01bf8c10915227805c05ad8a4a9eed xpdf-3.03-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 6c90be81f9c9c68615bd24c137d89274 xpdf-3.03-x86_64-1_slack13.1.txz Slackware 13.37 package: 1eeff76dad934506b28a82af5c27ea5f xpdf-3.03-i486-1_slack13.37.txz Slackware x86_64 13.37 package: aba82ab68d7caa85512aa2bac896bae5 xpdf-3.03-x86_64-1_slack13.37.txz Slackware 14.0 package: 39ed74f63313c498e872e3ff07a51db0 xpdf-3.03-i486-1_slack14.0.txz Slackware x86_64 14.0 package: c982dadbbf60bbcf96169dc738440e6c xpdf-3.03-x86_64-1_slack14.0.txz Slackware -current package: a8e79843930403bbb2b15513ad3ec889 xap/xpdf-3.03-i486-3.txz Slackware x86_64 -current package: 36198b91136ce737a94ac06d54ea3da3 xap/xpdf-3.03-x86_64-3.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg xpdf-3.03-i486-1_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIUWtEACgkQakRjwEAQIjNrZgCdHBoSxcX+RbfyPDV1o3bC1J1s
FreeBSD Security Advisory FreeBSD-SA-13:09.ip_multicast
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FreeBSD-SA-13:09.ip_multicast Security Advisory The FreeBSD Project Topic: integer overflow in IP_MSFILTER Category: core Module: kernel Announced: 2013-08-22 Credits:Clement Lecigne (Google Security Team) Affects:All supported versions of FreeBSD. Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-3077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. II. Problem Description An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. III. Impact An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc # gpg --verify ip_multicast.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254629 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254629 releng/9.1/ r254631 releng/9.2/ r254630 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3077 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlIVY1YACgkQFdaIBMps37K1cwCeOwXryun/C0EceD7v1se+z8w1 EUYAoJ7Hh/bOjyuD6oR6ZOEqtDVIL5LP =6Ehk -END PGP SIGNATURE-
[ MDVSA-2013:215 ] cacti
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:215 http://www.mandriva.com/en/support/security/ ___ Package : cacti Date: August 22, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: SQL injection and shell escaping issues were discovered and fixed in cacti (CVE-2013-1434, CVE-2013-1435). The updated packages have been upgraded to the 0.8.8b version which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1435 http://www.debian.org/security/2013/dsa-2739.en.html http://www.cacti.net/changelog.php ___ Updated Packages: Mandriva Enterprise Server 5: 32658f537224abfd7e4e48ce9522e5b6 mes5/i586/cacti-0.8.8b-0.1mdvmes5.2.noarch.rpm 1b20a70e9a224fb4ed9af7d8d5f06cb5 mes5/SRPMS/cacti-0.8.8b-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 91534708a52902ddb1e3d2a50f8b25ef mes5/x86_64/cacti-0.8.8b-0.1mdvmes5.2.noarch.rpm 1b20a70e9a224fb4ed9af7d8d5f06cb5 mes5/SRPMS/cacti-0.8.8b-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSFblPmqjQ0CJFipgRAi6MAJ9g5fB/WUf095w448KsEbP5Gws8GgCfV82E b7PC9BhUnwAeV3nvd+gwQS4= =fZYo -END PGP SIGNATURE-
CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework
Severity: Important Vendor: Spring by Pivotal Versions Affected: - 3.0.0 to 3.2.3 (Spring OXM Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: - DOMSource - StAXSource - SAXSource - StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. Mitigation: Users of affected versions should apply the following mitigation: - Users of 3.x should upgrade to 3.2.4 or later - Users of 4.x should upgrade to 4.0.0.RC1 or later once released Note the Spring OXM issue is fixed in 4.0.0.M2 Credit: These issues were identified by Alvaro Munoz of the HP Enterprise Security Team. References: http://www.gopivotal.com/security/cve-2013-4152 https://github.com/SpringSource/spring-framework/pull/317 (Spring OXM) https://jira.springsource.org/browse/SPR-10806 (Spring MVC) History: 2013-Aug-22: Initial vulnerability report published.
Joomla! VirtueMart component = 2.0.22a - SQL Injection
Joomla! VirtueMart component = 2.0.22a - SQL Injection == Description == - Software link: http://www.virtuemart.net/ - Affected versions: All versions between 2.0.8 and 2.0.22a are vulnerable. - Vulnerability discovered by: Matias Fontanini == Vulnerability == The vulnerability is located in the user controller, removeAddressST task. The virtuemart_userinfo_id parameter is not properly sanitized before being used in the DELETE query performed in it, allowing the execution of arbitrary SQL queries. In order to exploit the vulnerability, an attacker must be authenticated as a customer in the application. However, since the system allows free account registration, this is not a problem. == Proof of concept == The following example URL uses the MySQL sleep function through the injection: http://example.com/index.php?option=com_virtuemartview=usertask=removeAddressSTvirtuemart_userinfo_id=16%22%20and%20sleep(10)%20and%20%22%22%3D%22 == Solution == Upgrade the product to the 2.0.22b version. == Report timeline == [2013-08-15] Vulnerability reported to vendor. [2013-08-16] Developers answered back. [2013-08-22] VirtueMart 2.0.22b was released, which fixes the the reported issue. [2013-08-22] Public disclosure.
[security bulletin] HPSBST02897 rev.1 - HP StoreOnce D2D Backup System, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03828580 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03828580 Version: 1 HPSBST02897 rev.1 - HP StoreOnce D2D Backup System, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-08-22 Last Updated: 2013-08-22 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreOnce D2D Backup System. The vulnerability could be exploited remotely resulting in a Denial of Service (DoS). Please note that this issue does not affect HP StoreOnce Backup systems that are running software version 3.0.0 or newer. References: CVE-2013-2353 (SSRT101258) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP StoreOnce D2D Backup platforms running software version 2.2.18 or older and 1.2.18 or older. HP StoreOnce D2D4324 Backup System (EH985A) HP StoreOnce D2D4312 Backup System (EH983B) HP StoreOnce D2D4312 Backup System (EH983A) HP StoreOnce D2D4112 Backup System (EH993C) HP StoreOnce D2D4112 Backup System (EH993B) HP StoreOnce D2D4106i Backup System (EH996B) HP StoreOnce D2D4106i Backup System (EH996A) HP StoreOnce D2D4106fc Backup System (EH998B) HP StoreOnce D2D4106fc Backup System (EH998A) HP StoreOnce D2D2504i Backup System (EJ002C) HP StoreOnce D2D2504i Backup System (EJ002B) HP StoreOnce D2D2502i Backup System (EJ001C) HP StoreOnce D2D2502i Backup System (EJ001B) HP D2D4112 Backup System (EH993A) HP D2D4009fc Backup System (EH942A) HP D2D4009i Backup System (EH939A) HP D2D4004fc Backup System (EH941A) HP D2D4004i Backup System (EH938A) HP D2D2504i Backup System (EJ002A) HP D2D2503i Backup System (EH945A) HP D2D2502i Backup System (EJ001A) BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2353(AV:A/AC:L/Au:N/C:N/I:N/A:C) 6.1 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Joshua Small of Technion for reporting this issue to security-al...@hp.com RESOLUTION HP has made the following software updates available to resolve the vulnerability. HP StoreOnce D2D Backup platforms running software version 2.3.0 or subsequent. HP StoreOnce D2D Backup platforms running software version 1.2.19 or subsequent. Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update. HISTORY Version:1 (rev.1) - 22 August 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other