[SECURITY] [DSA 4442-1] ghostscript security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4442-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 12, 2019

SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject

SEC Consult Vulnerability Lab Security Advisory < 20190510-0 > === title: Unauthenticated SQL Injection vulnerability product: OpenProject vulnerable version: 5.0.0 - 8.3.1 fixed version: 8.3.2 &

[SECURITY] [DSA 4441-1] symfony security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4441-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond May 10, 2019

[SECURITY] [DSA 4440-1] bind9 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4440-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2019

[SECURITY] [DSA 4439-1] postgresql-9.6 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4439-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2019

dotCMS v5.1.1 Vulnerabilities

Hello, I identified several vulnerabilities in dotCMS v5.1.1 due to vulnerable open source dependencies. Full security write up: http://secureli.com/dotcms-v5-1-1-vulnerable-open-source-dependencies/ The details:  /ROOT/html/js/scriptaculous/prototype.js ↳ prototypejs 1.5.0 prototypejs

SEC Consult SA-20190509-0 :: Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication Server / Ezio Server

SEC Consult Vulnerability Lab Security Advisory < 20190509-0 > === title: Multiple Vulnerabilities product: Gemalto (Thales Group) DS3 Authentication Server / Ezio Server vulnerable

[SECURITY] [DSA 4438-1] atftp security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4438-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2019

[Newsletter/Marketing] [ISN] Spot the not-Fed: A day at AvengerCon, the Army's answer to hacker conferences

https://arstechnica.com/information-technology/2019/05/spot-the-not-fed-a-day-at-avengercon-the-armys-answer-to-hacker-conferences/ By Sean Gallagher Ars Technica 5/2/2019 FORT MEADE, Maryland -- Late last year, I was invited to a relatively new hacker event in Maryland. Chris Eagle, a

[Newsletter/Marketing] [ISN] Executive Order on America's Cybersecurity Workforce

https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/ Issued on: May 2, 2019 By the authority vested in me as President by the Constitution and the laws of the United States of America, and to better ensure continued American economic prosperity and

[Newsletter/Marketing] [ISN] Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are -- oh no, wait, it's Cisco again

https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/ By Iain Thomson in San Francisco The Register 2 May 2019 Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy

[Newsletter/Marketing] [ISN] Why local governments are a hot target for cyberattacks

https://www.csoonline.com/article/3391589/why-local-governments-are-a-hot-target-for-cyberattacks.html By Cynthia Brumfield CSO May 01, 2019 Over the course of the past few weeks, a seemingly stepped-up wave of malware and ransomware infections has struck a number of municipalities across the

[Newsletter/Marketing] [ISN] Hundreds of Orpak gas station systems can be easily hacked thanks to hardcoded passwords

https://techcrunch.com/2019/05/02/orpak-gas-station-password/ By Zack Whittaker TechCrunch May 2, 2019 Homeland Security’s cybersecurity agency says a popular gas station software contains several security vulnerabilities that require “low skill” to exploit. The advisory, posted by the

[Newsletter/Marketing] [ISN] After account hacks, Twitch streamers take security into their own hands

https://techcrunch.com/2019/04/30/twitch-account-hacks/ By Zack Whittaker TechCrunch April 30, 2019 Twitch has an account hacking problem. After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game

[Newsletter/Marketing] [ISN] DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days

https://www.securityweek.com/dhs-orders-agencies-patch-critical-flaws-within-15-days By Eduard Kovacs SecurityWeek May 01, 2019 The U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more

[Newsletter/Marketing] [ISN] Subscribing and Unsubscribing from InfoSec News

Forwarded from: William Knowles Its come to my attention someone either subscribed or forwarded a day of InfoSec News to Bugtraq as I've been fielding a number of nastygrams and Tweets. I am not personally subscribed to Bugtraq but would appreciate if you do plan on emailing me to include

[Newsletter/Marketing] [ISN] Wall Street spending big to protect against hacking: report

https://nypost.com/2019/05/01/wall-street-spending-big-to-protect-against-hacking-report/ By Kevin Dugan New York Post May 1, 2019 Wall Street’s biggest companies are pumping more cash into cybersecurity, as the industry’s brass openly frets that hackers are the next major threat to the

[Newsletter/Marketing] [ISN] Hackers Steal and Ransom Financial Data Related to Some of the World's Largest Companies

https://motherboard.vice.com/en_us/article/d3np4y/hackers-steal-ransom-citycomp-airbus-volkswagen-oracle-valuable-companies By Joseph Cox Motherboard.vice.com April 30, 2019 Hackers have broken into an internet infrastructure firm that provides services to dozens of the world's largest and most

[Newsletter/Marketing] [ISN] Going Toe-to-Toe With Ukraine's Separatist Hackers

https://foreignpolicy.com/2019/05/01/going-toe-to-toe-with-ukraines-separatist-hackers-cyber-russia/ By Elias Groll Foreign Policy May 1, 2019 The hacker realized that he was being watched. The spy software he was attempting to run against the Ukrainian government had infected the wrong

[Newsletter/Marketing] [ISN] MITRE asks vendors to do more to detect stealthy hacks

https://www.cyberscoop.com/mitre-asks-vendors-detect-stealthy-hacks/ By Sean Lyngaas CYBERSCOOP MAY 1, 2019 As hackers continue to use native programming tools to blend into target networks, Mitre Corp. is beginning to test vendors’ ability to detect those techniques. The federally-funded,

[Newsletter/Marketing] [ISN] Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

https://www.darkreading.com/attacks-breaches/attackers-used-red-team-pen-testing-tools-to-hack-wipro/d/d-id/1334586 By Robert Lemos Dark Reading 5/1/2019 The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been

2019 Public Bug bounty launched

Greetings *, We are happy to say that we are live with our public bug bounty located at http://bugbounty.firosolutions.com, We welcome everyone to participate and hack the bug bounty. Ciao! Firo Solutions Staff

[SYSS-2019-005]: ABUS Secvest - Proximity Key - Cryptographic Issues (CWE-310)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2019-005 Product: ABUS Secvest (FUAA5) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Cryptographic Issues (CWE-310) Risk Level: Medium Solution Status: Open Manufacturer

Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution 0day

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com

[SECURITY] CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Archiva 2.0.0 - 2.2.3 The unsupported versions 1.x are also affected. It is possible to write files to the archiva server at

[SECURITY] CVE-2019-0213: Apache Archiva Stored XSS

CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Archiva 2.0.0 - 2.2.3 The unsupported versions 1.x are also affected. It may be possible to store malicious XSS code into central configuration entries, i.e. the

[Newsletter/Marketing] [ISN] Microsoft Patch Alert: April patches have sharp edges, with several missing, others reappearing

https://www.computerworld.com/article/3216425/microsoft-patch-alert-april-patches-have-sharp-edges-with-several-missing-others-reappearing.html By Woody Leonhard Columnist Computerworld April 29, 2019 You have to wonder who’s testing this stuff. Admins, in particular, have had a tough month.

[Newsletter/Marketing] [ISN] Augusta cyber-attacker sought more than $100,000 in ransom

https://www.centralmaine.com/2019/04/28/augusta-cyber-attacker-sought-more-than-100k-in-ransom/ By Keith Edwards Kennebec Journal April 28, 2019 AUGUSTA -- The apparent, and still unknown, source of a cyberattack that shut down the city's computer network and forced the closure of Augusta City

[Newsletter/Marketing] [ISN] Man who allegedly leaked CIA hacking tools says he's been tortured and is owed $50 billion

https://www.cyberscoop.com/vault-7-joshua-schulte-wikileaks-civil-rights-violation-50-billion/ By Jeff Stone CYBERSCOOP April 29, 2019 A former CIA computer engineer compared himself to a victim of the Nazis and said the government has caused him to lose more than $50 billion in income in a

[Newsletter/Marketing] [ISN] Russian Hackers Were 'In a Position' to Alter Florida Voter Rolls, Rubio Confirms

https://www.nytimes.com/2019/04/26/us/florida-russia-hacking-election.html By Frances Robles The New York Times April 26, 2019 It was the day before the 2016 presidential election, and at the Volusia County elections office, near Florida’s Space Coast, workers were so busy that they had

[Newsletter/Marketing] [ISN] 'A Goldmine for Identity Thieves': Unprotected Database Puts 65% of American Households At Risk

http://fortune.com/2019/04/29/security-gap-personal-information-breach/ By Chris Morris Fortune.com April 29, 2019 A pair of security experts has discovered an online, unprotected database that hosts personal data for 80 million American households. And, perhaps even more concerning, they’re

[Newsletter/Marketing] [ISN] Docker Hacked: 190,000 Accounts Breached

https://www.cbronline.com/news/docker-hacked By Ed Targett Editor Computer Business Review April 29, 2019 Docker, the company behind an open platform for building and running distributed applications, said on Friday that hackers had breached one of its databases, potentially giving them access

[SECURITY] [DSA 4437-1] gst-plugins-base1.0 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4437-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 29, 2019

[REVIVE-SA-2019-001] Revive Adserver - Multiple vulnerabilities

Revive Adserver Security Advisory REVIVE-SA-2019-001 https://www.revive-adserver.com/security/revive-sa-2019-001

[SECURITY] [DSA 4435-1] libpng1.6 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4435-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2019

[slackware-security] bind (SSA:2019-116-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] bind (SSA:2019-116-01) New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+

[SECURITY] [DSA 4436-1] imagemagick security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4436-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2019

Multiple vulnerabilities in Sony Smart TVs

UNCLASSIFIED ## ADVISORY INFORMATION TITLE: Multiple vulnerabilities in Sony Smart TVs ADVISORY URL: https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/ DATE PUBLISHED: 23/04/2019 AFFECTED VENDORS: Sony RELEASE MODE: Coordinated release CVE: CVE-2019-10886,

Confluence Security Advisory - 2019-04-17

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/d5e8OQ . CVE ID: * CVE-2019-3398. Product: Confluence Server and Confluence Data Center. Affected Confluence Server and Confluence Data Center versions: 6.6.0 <=

[SECURITY] [DSA 4434-1] drupal7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4434-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2019

WordPress Plugin Contact Form Builder [CSRF → LFI]

# Exploit Title: Contact Form Builder [CSRF → LFI] # Date: 2019-03-17 # Exploit Author: Panagiotis Vagenas # Vendor Homepage: http://web-dorado.com/ # Software Link: https://wordpress.org/plugins/contact-form-builder # Version: 1.0.67 # Tested on: WordPress 5.1.1 Description --- Plugin

[slackware-security] libpng (SSA:2019-107-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] libpng (SSA:2019-107-01) New libpng packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

[SECURITY] [DSA 4433-1] ruby2.3 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4433-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2019

[SECURITY] [DSA 4432-1] ghostscript security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4432-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019

CVE-2018-2879 - anniversary

For the anniversary of the discovery of CVE-2018-2879 by Sec Consult (https://sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/) we have decided to release OAMbuster, a multi-thread implementation of CVE-2018-2879. Link of the exploit:

[SE-2019-01] Gemalto SIM card applet loading vulnerability

Hello All, On Mar 20, 2019 Security Explorations reported a security vulnerability (Issue 19) to Gemalto [1], that made it possible to achieve read, write and native code execution access on company's card (GemXplore 3G v3.0). On Mar 30, 2019, Gemalto provided is with the results of its

[SECURITY] [DSA 4431-1] libssh2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4431-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2019

[**UPDATED] Microsoft Internet Explorer v11 / XML External Entity Injection 0day

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product]

[SECURITY] [DSA 4430-1] wpa security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4430-1 secur...@debian.org https://www.debian.org/security/Yves-Alexis Perez April 10, 2019

Microsoft Internet Explorer v11 XML External Entity Injection 0day

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product]

WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002

WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002 Date reported : April 10, 2019 Advisory ID : WSA-2019-0002 WebKitGTK Advisory URL :

[SECURITY] [DSA 4429-1] spip security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4429-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond April 10, 2019

[SECURITY] [DSA 4428-1] systemd security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4428-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2019

[SECURITY] [DSA 4427-1] samba security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4427-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond April 08, 2019

RE: [EXTERNAL] CALL FOR PAPERS - Hackers 2 Hackers Conference 16th edition

Hi Rodrigo: Thank you so much for this CFP. Kindly see attached from my end. In my talk on the incoming "2019 Industrial Control Systems (ICS) Cyber Security Conference | Singapore" (https://www.icscybersecurityconference.com/singapore/), I will be covering Zero-day & fileless malware hunting

[slackware-security] httpd (SSA:2019-096-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] httpd (SSA:2019-096-01) New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+

[SECURITY] [DSA 4426-1] tryton-server security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4426-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 07, 2019

[slackware-security] wget (SSA:2019-095-02)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] wget (SSA:2019-095-02) New wget packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+

[slackware-security] openjpeg (SSA:2019-095-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] openjpeg (SSA:2019-095-01) New openjpeg packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

[SECURITY] [DSA 4425-1] wget security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4425-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019

WordPress plugin Contact Form by WD [CSRF → LFI]

# Exploit Title: Contact Form by WD [CSRF → LFI] # Date: 2019-03-17 # Exploit Author: Panagiotis Vagenas # Vendor Homepage: http://web-dorado.com/ # Software Link: https://wordpress.org/plugins/contact-form-maker # Version: 1.13.1 # Tested on: WordPress 5.1.1 Description --- Plugin

WordPress Plugin Form Maker by WD [CSRF → LFI]

# Title: Form Maker by WD [CSRF → LFI] # Date: 2019-03-17 # Exploit Author: Panagiotis Vagenas # Vendor Homepage: http://web-dorado.com/ # Software Link: https://wordpress.org/plugins/form-maker # Version: 1.13.2 # Tested on: WordPress 5.1 Description --- Plugin implements the following

[SECURITY] [DSA 4424-1] pdns security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4424-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond April 04, 2019

Various vulnerabilities in Lupusec XT2 Plus home alarm system

=== title: Multiple Vulnerabilities product: Lupusec XT2 Plus Main Panel version: Firmware 0.0.2.19E homepage: https://www.lupus-electronics.de/ found: 01/2019

[SECURITY] [DSA 4423-1] putty security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4423-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 03, 2019

[SECURITY] [DSA 4422-1] apache2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4422-1 secur...@debian.org https://www.debian.org/security/ Stefan Fritsch April 03, 2019

[slackware-security] ghostscript (SSA:2019-092-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] ghostscript (SSA:2019-092-01) New ghostscript packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

[slackware-security] wget (SSA:2019-092-02)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] wget (SSA:2019-092-02) New wget packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

CVE-2019-7727 - JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

Description === NICE Engage is an interaction recording platform. The default configuration in versions <= 6.5 (and possible higher) binds an unauthenticated JMX/RMI interface to all network interfaces, without restricting registration of MBeans, which allows remote attackers to execute

[SECURITY] [DSA 4421-1] chromium security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4421-1 secur...@debian.org https://www.debian.org/security/ Michael Gilbert March 31, 2019

[SECURITY] [DSA 4420-1] thunderbird security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4420-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 30, 2019

[SECURITY] [DSA 4419-1] twig security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4419-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond March 29, 2019

[SECURITY] [DSA 4418-1] dovecot security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4418-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 28, 2019

[SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities

SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Pydio 8 Multiple Vulnerabilities 1. *Advisory Information* Title: Pydio 8 Multiple Vulnerabilities Advisory ID: SAUTH-2019-0002 Advisory URL: https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities Date

[slackware-security] gnutls (SSA:2019-086-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] gnutls (SSA:2019-086-01) New gnutls packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

APPLE-SA-2019-3-27-1 watchOS 5.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-27-1 watchOS 5.2 watchOS 5.2 is now available and addresses the following: CFString Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted string may lead to a denial of service Description: A

[RT-SA-2019-003] Cisco RV320 Unauthenticated Configuration Export

Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor. Details === Product: Cisco RV320 Dual

[RT-SA-2019-005] Cisco RV320 Command Injection Retrieval

Advisory: Cisco RV320 Command Injection RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router,

[RT-SA-2019-004] Cisco RV320 Unauthenticated Diagnostic Data Retrieval

Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor. Details === Product: Cisco RV320

[RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple

Advisory: Code Execution via Insecure Shell Function getopt_simple RedTeam Pentesting discovered that the shell function "getopt_simple", as presented in the "Advanced Bash-Scripting Guide", allows execution of attacker-controlled commands. Details === Product: Advanced Bash-Scripting

Recon 2019 Call For Papers - June 28 - 30, 2019 - Montreal, Canada

Recon Montreal - Call For Papers - June 28 - 30 - 2019 Welcome to TeleMate! ATDT1514XXX CONNECT 300 .. DATAPAC : DATAPAC: Call connected to This is a private system. Access attempts are logged. Unauthorized access may result in prosecution. Bienvenue! +

[slackware-security] mozilla-thunderbird (SSA:2019-084-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2019-084-01) New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog:

APPLE-SA-2019-3-25-1 iOS 12.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-1 iOS 12.2 iOS 12.2 is now available and addresses the following: CFString Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted string may lead to a

APPLE-SA-2019-3-25-6 iCloud for Windows 7.11

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-6 iCloud for Windows 7.11 iCloud for Windows 7.11 is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A

[article2pdf (Wordpress plug-in)] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)

Product: article2pdf (Wordpress plug-in) Product Website: https://wordpress.org/plugins/article2pdf/ Affected Versions: 0.24 and greater The following vulnerabilities were found in a code review of the plug-in. An attempt to contact the plug-in maintainer on 8 December 2018 was unsuccessful.

APPLE-SA-2019-3-25-3 tvOS 12.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-3 tvOS 12.2 tvOS 12.2 is now available and addresses the following: CFString Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted string may lead to a denial of service Description: A

APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows iTunes 12.9.4 for Windows is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A

APPLE-SA-2019-3-25-4 Safari 12.1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-4 Safari 12.1 Safari 12.1 is now available and addresses the following: Safari Reader Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Enabling the Safari Reader feature on a maliciously

APPLE-SA-2019-3-25-7 Xcode 10.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-7 Xcode 10.2 Xcode 10.2 is now available and addresses the following: Kernel Available for: macOS 10.13.6 or later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory

APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the

Multiple vulnerabilities in DASAN H660RM GPON router firmware

Hi! CVE-2019-9974: diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks Remote attacker could enumerate hosts on LAN interface sending requests to /cgi-bin/diag_tool.cgi with ip

Atlassian - Confluence Security Advisory - 2019-03-20

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20 . CVE ID: * CVE-2019-3395. * CVE-2019-3396. Product: Confluence Server and Confluence Data Center. Affected

[SYSS-2018-036]: ABUS Secvest Remote Control - Denial of Service - Uncontrolled Resource Consumption (CWE-400)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2018-036 Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015) Manufacturer: ABUS Affected Version(s): n/a Tested Version(s): n/a Vulnerability Type: Denial of Service - Uncontrolled Resource Consumption (CWE-400) Risk

[SYSS-2018-035]: ABUS Secvest Remote Control - Missing Encryption of Sensitive Data (CWE-311)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2018-035 Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015) Manufacturer: ABUS Affected Version(s): n/a Tested Version(s): n/a Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311) Risk Level: High Solution

[SYSS-2018-034]: ABUS Secvest - Rolling Code - Predictable from Observable State (CWE-341)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2018-034 Product: ABUS Secvest (FUAA5) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Rolling Code - Predictable from Observable State (CWE-341) Risk Level: High Solution

[SECURITY] [DSA 4417-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4417-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 24, 2019

[SECURITY] [DSA 4416-1] wireshark security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4416-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019

[SECURITY] [DSA 4415-1] passenger security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4415-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019

[SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4414-1 secur...@debian.org https://www.debian.org/security/ Thijs Kinkhorst March 23, 2019

[slackware-security] mozilla-firefox (SSA:2019-081-01)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2019-081-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+

<    1   2   3   4   5   6   7   8   9   10   >