Security Advisory: CVE-2011-2516

Please be advised that a security issue affecting the Apache XML Security Library for C++ has been identified and an updated version released to address the issue. The full text of the advisory is below, and a signed version can be found at: http://santuario.apache.org/secadv/CVE-2011-2516.txt

Re: [Full-disclosure] Ubuntu: reseed(8), random.org, and HTTP request

Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The script is run when the package installed, and anytime su executes the script. reseed(8) performs a unsecured HTTP request to random.org for its bits, despite random.org offering HTTPS services. This resulted in a couple of

[SECURITY] [DSA 2273-1] icedove security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2273-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 06, 2011

[security bulletin] HPSBMA02674 SSRT100487 rev.2 - HP Service Manager and HP Service Center, Unauthorized Remote Access, Unsecured Local Access, Remote Disclosure of Privileged Information, HTTP Sessi

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02863015 Version: 2 HPSBMA02674 SSRT100487 rev.2 - HP Service Manager and HP Service Center, Unauthorized Remote Access, Unsecured Local Access, Remote Disclosure of Privileged Information,

Security Advisory: CVE-2011-2464 - ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers A specially constructed packet will cause BIND 9 (named) to exit, affecting DNS service. CVE: CVE-2011-2464 Document Version: 2.0 Posting date: 05 Jul 2011

Aruba Advisory AID-070611 Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ADVISORY NUMBER AID-070611 Advisory # 1: TITLE Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces. SUMMARY A persistent Cross Site Scripting vulnerability (XSS) was discovered where an attacker could plant

Security Advisory: CVE-2011-2465 ISC BIND 9 Remote Crash with Certain RPZ Configurations

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ISC BIND 9 Remote Crash with Certain RPZ Configurations Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response

Re: Re: Multiple Cross-Site Scripting vulnerabilities in WebCalendar

No response from vendor so far! And no I didn't request a CVE-identifier, so I'd really appreciate your help :) Best regards, Stefan

Re: [Full-disclosure] Ubuntu: reseed(8), random.org, and HTTP request

[ But for what it's worth, I am willing to bet that the script was added without analyzing these subtle considerations, and that makes it somewhat scary on its own accord. ] /mz